"Suspected DarkHotel APT Resurgence Targets Luxury Chinese Hotels"

Trellix researchers Thibault Seret and John Fokker have disclosed new activity conducted by the South Korean Advanced Persistent Threat (APT) known as DarkHotel. This APT has been carrying out tailored spear-phishing attacks against business leaders and other high-value targets in the hospitality, government, automotive, and pharmaceutical industries since at least 2007, mainly focusing on surveillance and data theft. According to the researchers, a malicious campaign has been actively targeting luxury hotels in Macao, China, since November 2021, and based on the attack vector and malware used, DarkHotel is suspected to be the culprit. Major hotel chains in Macao, China, including the Grand Coloane Resort and Wynn Palace, were targeted by the APT. The campaign started with spear-phishing emails sent from what appears to be the Macao Government Tourism Office. The malicious emails were sent to management staff in the luxury hotels, such as front office and HR employees who likely have access to guest booking systems. These emails contained an Excel sheet lure that requested the completion of a form for a guest inquiry. If the victim enables macros to read the document, then the macros trigger the download and execution of malware payloads. As the researchers revealed the layers of obfuscation, they discovered a malware function designed to create a scheduled task for persistence and the execution of VBS and PowerShell scripts, which set up a connection to a hard-coded command-and-control (C2) server masked as a service owned by the Federated States of Micronesia. This article continues to discuss findings regarding a hacking campaign against Macao's luxury hotels and resorts suspected to be launched by the DarkHotel APT group and threat actors' continued targeting of the travel industry during the COVID-19 pandemic.

 ZDNet reports "Suspected DarkHotel APT Resurgence Targets Luxury Chinese Hotels"