Two of the hotel chains confirmed as targeted in this campaign are the Grand Coloane Resort and the Wynn Palace, both 5-star hotels.
These hotels were planning to host international conferences on trade, investment, and the environment, so DarkHotel’s campaign was likely aiming to lay the foundation for future espionage.
The attached Excel file that supposedly contained important information to hotel operators had malicious macro code in obfuscated form.
Upon opening the file and enabling content on the Microsoft Office Suite, the document loads the Task Scheduler Service and drops a VBS script in a system folder.
From there, the malware can launch PowerShell and wscript.exe to obtain host system details and send them to the C2 server.
This is a spoofed domain impersonating the actual website of the Government of the Federated States of Micronesia, which is on “.fsmgov.org.”
By investigating further, analysts found out that the C2’s backend is similar to those previously reported and associated with DarkHotel, and also discovered the abuse of Mailman for the distribution of the phishing emails.