Hackers have utilised the VBScript Engine in a hacking operation dubbed Darkhotel. Microsoft have disabled the execution of VBScript in the default OS Configuration, however the flaw could still be utilised through other means such as Microsoft Office macro abuse.
The Darkhotel threat looks to be a blend of spear phishing and dangerous malware designed to intercept confidential data.
Cybercriminals behind Darkhotel have been targeting thousands of victims across the globe. 90% of the Darkhotel infections we have seen are in Japan, Taiwan, China, Russia and Korea, but we have also seen infections in Germany, the USA, Indonesia, India, and Ireland.
Trend Micro security researchers noticed a VBScript vulnerability being exploited after Microsoft delivered regular updates for the Windows OS in July, the bug has been patched now and assigned CVE-2018-8373. The attacker takes advantage of use-after-free memory corruption that allows the attacker to run shellcode on the compromised computer.
Researchers have found that the vulnerability used the same obfuscation technique found in an older VBScript vulnerability which was patched in May. The older exploit is known as Double Kill ( CVE- 2018-8174 ) and was reported by a firm in China called Qihoo 360.
Qihoo 360 analysed Double Kill and confirmed the association with Darkhotel group.
“During the analysis, we found the decryption algorithm that malware used is identical to APT-C-06’s decryption algorithm,” they wrote at the time, adding that it ran cyberespionage operations and that China was among its main targets.
Darkhotel was brought to light in 2014, the company has traced the group’s activity and also described the operation as the longest running one.
Take your time to comment on this article.
