A sophisticated spyware known as Darkhotel has been exploiting a vulnerability in Microsoft’s VBScript. Qihoo 360 researchers say the APT has been using the recently patched flaw to corrupt memory and execute arbitrary code.
CVE-2018-8373 was discovered by Trend Micro and quickly patched by Microsoft, but it’s likely that many users haven’t updated. Theoretically, attackers can craft a website which that can exploit the flaw via Internet Explorer, installing software, deleting/retrieving data, or creating new user accounts.
Darkhotel was first discovered in 2014 and has a fitting name. It’s creator specifically targeted hotels, infecting networks and prompting high profile targets to download a fake software or OS update. From there, it would infect the machine with a backdoor and install keyloggers, information stealing modules, and more.
Due to the sophistication and consistent nature of Darkhotel, it’s thought to be related to a nation-state. A recent analysis by McAfee and Intezer indicates that Darkhotel is associated with North Korea.
Darkhotel and Double Kill
Trend Micro also believes Darkhotel used the exploit, and the findings have shed light on a previous attack. In April, Qihoo 360 reported on a similar exploit that was being used to spread malware.
At the time, it said the attack was by a ‘known APT actor’, but didn’t specify which. Trend Micro says Double Kill holds the same techniques as 2018-8373, and Qihoo 360 linked it back to a domain used by Darkhotel in May.
The group behind the attacks appears to be keeping an eye on Microsoft’s latest vulnerabilities and exploiting them before users patch. It’s essentially using every page in the book to steal data, including social engineering.
As always, it’s vital that users ensure their PC’s are up to date, especially before traveling and be aware of any suspicious downloads.