Dark Hotel APT Group
Dark Hotel APT Group
Industry: N/A | Level: Operational | Source: ZScaler
Zscaler ThreatLabz identified activities from the South Korea based Dark Hotel APT group. The group in the attack due utilizing a multi-layer malicious document, artifacts dropping the compromised system, the same C2 used in previous attacks and payload timestamps aligned with previously documented Dark Hotel activity. The malicious document dropped a RTF file that released OLE objects in the %temp$ directory. Additionally, a five-stage attack was observed involving the creation of a zone identifier ADS, creating a registry key for persistence that executes a VBScript code using MSHTA, PowerShell execution with an encoded command leading to C2.
- Anvilogic Scenario: Dark Hotel APT - Behaviors
- Anvilogic Use Cases:
- Executable Process from Suspicious Folder
- Alternate Data Streams
- Windows Service Created
- MSHTA.exe execution
- Encoded Powershell Command
- Invoke-Expression Command
- Suspicious Registry Key Created