Dark Hotel APT Group

Industry: N/A | Level: Operational | Source: ZScaler

Zscaler ThreatLabz identified activities from the South Korea based Dark Hotel APT group. The group in the attack due utilizing a multi-layer malicious document, artifacts dropping the compromised system, the same C2 used in previous attacks and payload timestamps aligned with previously documented Dark Hotel activity. The malicious document dropped a RTF file that released OLE objects in the %temp$ directory. Additionally, a five-stage attack was observed involving the creation of a zone identifier ADS, creating a registry key for persistence that executes a VBScript code using MSHTA, PowerShell execution with an encoded command leading to C2.

• Anvilogic Scenario: Dark Hotel APT - Behaviors
• Anvilogic Use Cases:
• Executable Process from Suspicious Folder
• Alternate Data Streams
• Windows Service Created
• MSHTA.exe execution
• Encoded Powershell Command
• Invoke-Expression Command
• Suspicious Registry Key Created