2021-12-21

Dark Hotel APT Group

Level: 
  |  Source: 
ZScaler
Share:

Dark Hotel APT Group

Industry: N/A | Level: Operational | Source: ZScaler

Zscaler ThreatLabz identified activities from the South Korea based Dark Hotel APT group. The group in the attack due utilizing a multi-layer malicious document, artifacts dropping the compromised system, the same C2 used in previous attacks and payload timestamps aligned with previously documented Dark Hotel activity. The malicious document dropped a RTF file that released OLE objects in the %temp$ directory. Additionally, a five-stage attack was observed involving the creation of a zone identifier ADS, creating a registry key for persistence that executes a VBScript code using MSHTA, PowerShell execution with an encoded command leading to C2.

  • Anvilogic Scenario: Dark Hotel APT - Behaviors
  • Anvilogic Use Cases:
  • Executable Process from Suspicious Folder
  • Alternate Data Streams
  • Windows Service Created
  • MSHTA.exe execution
  • Encoded Powershell Command
  • Invoke-Expression Command
  • Suspicious Registry Key Created

Chat with our team to receive a free maturity assessment

Get in Touch