FireEye reported that the Russian hacking group code name APT28 are targeting the hospitality sector since last month and is targeted at travelers to hotels throughout Europe and the Middle East. The report further says, the hackers have used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit.
And, the successful execution of the macro within the malicious document results in the installation of APT28’s signature GAMEFISH malware. This was combined with the heavy use of py2exe to compile Python scripts. This is the first time we have seen APT28 incorporate this exploit into their intrusions.
APT28 isn’t the only group targeting travelers. South Korea-nexus Fallout Team (aka Darkhotel) has used spoofed software updates on infected Wi-Fi networks in Asian hotels, and Duqu 2.0 malware has been found on the networks of European hotels used by participants in the Iranian nuclear negotiations. Additionally, open sources have reported for several years that in Russia and China, high-profile hotel guests may expect their hotel rooms to be accessed and their laptops and other electronic devices accessed.