Deep-dive: The DarkHotel APT
PART 1: DARKHOTEL DarkHotel is a sophisticated and active advanced persistent threat (APT) group. It’s highly capable and is known for finding and taking advantage of previously unknown vulnerabilities in common software also known as a 0day. It is a well-established group that has been active since 2007, are known Korean-speakers, and are working on behalf of a nation state. DarkHotel was first disclosed in 2014 and is also known as DUBNIUM, Black Shop, Fallout Team, Karba, Luder, Nemim, Nemain, Tapaoux, Pioneer, Shadow Crane, APT-C-06, and TUNGSTEN BRIDGE. From the NSA’s sigs.py script (also known as Territorial Dispute or TeDi) DarkHotel is signature number 25 (SIG25). Malware associated with DarkHotel includes Asruex, Parastic Beast, Inexsmar, Retro backdoor, Gh0st RAT, and the new Ramsay toolkit. Vulnerabilities leveraged in its 0day exploits include CVE-2018-8174, CVE-2018-8373, CVE-2019-1458, CVE-2019-13720, CVE-2019-17026, and CVE-2020-0674. DarkHotel also often exploits CVE-
