ATK52

Presumed Origin: South Korea < Back

Alias: APT-C-06, DUBNIUM, DarkHotel, Fallout Team, Karba, Luder, Nemim, Nemin, Pioneer, SIG25, Shadow Crane, Tapaoux

ATK52 (aka: DarkHotel) is a Korean speaking attacker. While some have attributed this attacker to North Korea, notably due to the overlap between the group and ATK4, there is a consensus linking this threat actor to South Korea instead. This actor targets government entities, especially in the diplomatic, defense and law enforcement. It is especially active in the Sea of Japan and the East China Sea. Its goal is espionage of specific individuals. The group possesses extended cryptographic knowledge, that allowed it to create fake certificate, a capacity do develop and use 0-days (especially around Flash Player). It also has access to an extended network infrastructure that is reliable, allowing the group to maintain long-term access to the system.

In January 2020, a few days after Microsoft stopped Windows 7 support, DarkHotel used the DoubleStar 0day (CVE-2019-17026?CVE-2020-067) to attack Chinese government-related commerce agencies

Références :

10/11/2014, Kaspersky, The Darkhotel APT, http://securelist.com/the-darkhotel-apt/66779/
10/08/2015, Kaspersky, Darkhotel’s attacks in 2015, http://securelist.com/darkhotels-attacks-in-2015/71713/
09/06/2016, Microsoft, Reverse-engineering DUBNIUM, http://cloudblogs.microsoft.com/microsoftsecure/2016/06/09/reverse-engineering-dubnium-2/?source=mmpc
20/10/2017, Virus Bulletin, VB2017 paper: Walking in your enemy's shadow: when fourth-party collection becomes attribution hell, http://www.virusbulletin.com/blog/2017/10/vb2017-paper-walking-your-enemys-shadow-when-fourth-party-collection-becomes-attribution-hell/
18/07/2017, BitDefender, Inexsmar: An unusual DarkHotel campaign, http://labs.bitdefender.com/2017/07/inexsmar-an-unusual-darkhotel-campaign/
13/05/2019, Kaspersky, ScarCruft continues to evolve, introduces Bluetooth harvester, http://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
24/06/2019, Tencent https://s.tencent.com/research/report/741.htm
11/02/2020, 360.cn, Darkhotel (APT-C-06) utilise la vulnérabilité 0Day "Double Star" (CVE-2019-17026, CVE-2020-0674) pour analyser les attaques APT lancées par la Chine, original (cn) - http://blogs.360.cn/post/apt-c-06_0day.html translated (en) - https://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fblogs.360.cn%2Fpost%2Fapt-c-06_0day.html

REFERENCES

Target sector

Defense
Government and administration agencies
Hospitality
Manufacturing
Military
Pharmacy and drug manufacturing
Research
Transportation

Target countries

China
Japan
Korea, Democratic People'S Republic Of
Korea, Republic of
Russian Federation
Taiwan

Attack pattern

T1016 - System Network Configuration Discovery
T1023 - Shortcut Modification
T1027 - Obfuscated Files or Information
T1036 - Masquerading
T1056 - Input Capture
T1057 - Process Discovery
T1060 - Registry Run Keys / Startup Folder
T1063 - Security Software Discovery
T1064 - Scripting
T1068 - Exploitation for Privilege Escalation
T1080 - Taint Shared Content
T1082 - System Information Discovery
T1091 - Replication Through Removable Media
T1116 - Code Signing
T1140 - Deobfuscate/Decode Files or Information
T1145 - Private Keys
T1170 - Mshta
T1189 - Drive-by Compromise
T1193 - Spearphishing Attachment
T1203 - Exploitation for Client Execution
T1204 - User Execution

Motivation

Espionage

Malwares

DarkHotel
Nemim
Tapaoux

Vulnerabilities

CVE-2010-0188
CVE-2014-0497
CVE-2015-5119
CVE-2016-4117
CVE-2019-17026
CVE-2020-0674