DarkHotel: NoKor Hacking Elite Targeting IE Scripting Engine

February 14, 2019

The stealthy North Korean APT group dubbed DarkHotel, otherwise known as APT-C-06, Fallout Team, SIG25, and so on, has been progressively focusing on Internet Explorer (IE) scripting motor. Security specialists as of late found that DarkHotel made new endeavors for two more seasoned vulnerabilities influencing the Internet Explorer scripting motors.


Despite the fact that DarkHotel’s exercises were uncovered in 2014, security specialists trust that the programmer assemble has been dynamic since 2007. In any case, throughout the years, the cybercriminal group, that is known to have connections to the Pyongyang routine, has advanced and all the more as of late, has been focusing on political figures.


Security researchers named the group DarkHotel, but they’re also known as Tapaoux by other security firms who have been separately tracking their spear-phishing and P2P attacks. The attackers have been active since at least 2007, using a combination of highly sophisticated methods and pedestrian techniques to ensnare victims, but these hacks appear to be a new and daring development in a campaign aimed at high-value targets.


The attackers seems to take a two-pronged approach—using the P2P campaign to infect as many victims as possible and then the spear-phishing and hotel attacks for surgically targeted attacks. In the P2P attacks thousands of victims are infected with botnet malware during the initial stage, but if the victim turns out to be interesting, the attackers go a step further to place a backdoor on the system to exfiltrate documents and data.


This year, DarkHotel has been over and over focusing on the IE VBScript scripting motor. As per security analysts at Qihoo 360 Core, the North Korean APT group not just utilized two zero-day bugs focusing on IE scripting motors, the programmers additionally made new adventures for two more seasoned IE scripting motor imperfections.


“After examination, we discovered that the confusion and misuse of these four [exploits] are exceedingly steady. We speculate that they are from a similar programmer (or hacking team),” said Qihoo 360 Core scientists. “We trust that there are other comparable issues in VBScript, and conjecture that there are other comparative adventures that are under the control of the programmer or hacking team.”



About the author

Leave a Reply