After a storm in May caused by WannaCry, the bonanza seemed to reign, yet its strands are the ones that are beginning to worry. It is known that this malware was born of the ‘EternalBlue’ exploit that was published by the group ‘The Shadow Brokers’ as part of the tools used by the NSA in the tasks of espionage and global surveillance.
How does the attack work?
This ransomware has some curious singularities. The attack begins with the traditional phishing campaign, which in this case targeted hotel chains, mostly in seven European countries and one in the Middle East.
The e-mail arrives with a document named the “Hotel Reservation From.doc” an attachment containing macros that perform a ‘GameFish’ installation on the machine and that spreads throughout the hotel’s local network. The malware clears the way and locates the computers responsible for controlling Wi-Fi networks and, after gaining control of the machines, control the traffic passing through this network, both the hotel’s administrative data and the data of the users who are traveling through the network.
Security experts believe that the purpose of this malware is to obtain information from government-related guests and important companies by using network control to extract the security credentials of anyone. The advantage (or disadvantage) is you can only have access to those who do not have the two-step authentication method enabled, so the user, when attacked, receives an SMS or notification through an app (just like the Authentication from Google or Apple, for example) to confirm the access permission and then stop the attack. This way your data will remain secure.
This attack coincides in some points with “DarkHotel”, a similar malware that was propagated in some hotels last year, ‘EternalBlue’ was not yet known at the time. Security company FireEye mentions that despite these similarities both attacks are unrelated, since it was discovered that the malware “DarkHotel” only attacked Korean targets. On the other hand, while GameFish was designed to collect passwords, DarkHotel was focused on modifying software updates.
So far there is no simple way to stop the progress of GameFish from the moment this malware is already installed. Therefore, the company recommends that free Wi-Fi networks be avoided where possible and when using these networks, to not not access sensitive and important content through them.