Names | HotelAlfa | |
Category | Other | |
Description | (Novetta) HotelAlfa is a stripped down HTTP server that hosted the Guardians of Peace (GOP) hackers’ webpage announcing their demands against SPE as well as the locations of the data that the GOP attackers stole. Consisting of only 4 functions, HotelAlfa is an extremely simple piece of code and is clearly created for a limited purpose. For each incoming connection, HotelAlfa spins off a new thread to handle the request. The thread reads up to 4096 bytes from the client and scans the response for specific keywords. The request from the client does not necessarily need to conform or comply with the HTTP request standard. Instead, the request merely must contain the appropriate file extension otherwise the default HTML page is returned. HotelAlfa responds to .wav and .j p g file extensions with the appropriate file. HotelAlfa only supplies three files to the client: an HTML page, a WAV sound file, and a JPG image. These files are stored within the HotelAlfa binary’s resource section under the RC_DATA branch. Each file is encoded with XOR 0x63, requiring HotelAlfa to decode each file prior to transmitting the data back to the requesting client. When HotelAlfa sends a response back to the client, the response does conform to the HTTP 1.1 standard. | |
Information | <https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf> |
Last change to this tool card: 20 April 2020
Download this tool card in JSON format
Changed | Name | Country | Observed | ||
APT groups | |||||
Lazarus Group, Hidden Cobra, Labyrinth Chollima | 2007-Sep 2024 |
1 group listed (1 APT, 0 other, 0 unknown)
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |