Darkhotel | APT Profile

Description

[Darkhotel](https://attack.mitre.org/groups/G0012) is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. [Darkhotel](https://attack.mitre.org/groups/G0012) has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft Digital Defense FY20 Sept 2020)

Techniques Used (TTPs)

T1518.001 — Security Software Discovery (discovery)
T1497.002 — User Activity Based Checks (defense-evasion, discovery)
T1027.013 — Encrypted/Encoded File (defense-evasion)
T1573.001 — Symmetric Cryptography (command-and-control)
T1080 — Taint Shared Content (lateral-movement)
T1082 — System Information Discovery (discovery)
T1056.001 — Keylogging (collection, credential-access)
T1566.001 — Spearphishing Attachment (initial-access)
T1057 — Process Discovery (discovery)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1189 — Drive-by Compromise (initial-access)
T1091 — Replication Through Removable Media (lateral-movement, initial-access)
T1497 — Virtualization/Sandbox Evasion (defense-evasion, discovery)
T1497.001 — System Checks (defense-evasion, discovery)
T1124 — System Time Discovery (discovery)
T1553.002 — Code Signing (defense-evasion)
T1016 — System Network Configuration Discovery (discovery)
T1083 — File and Directory Discovery (discovery)
T1059.003 — Windows Command Shell (execution)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1105 — Ingress Tool Transfer (command-and-control)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1203 — Exploitation for Client Execution (execution)
T1204.002 — Malicious File (execution)

Total TTPs: 24

← Return to Home ← Back to APT Search