Saturday, July 4, 21:25
Home security StrongPity hackers target Syria and Turkey

StrongPity hackers target Syria and Turkey

Cybersecurity researchers today revealed new details about attacks on the Kurdish community in Syria and Turkey aimed at exfiltration of information. StrongPity hackers have returned with new tactics to control hacked systems, Bitdefender said in a report shared with The Hacker News.

It uses regular "watering holes" to selectively infect victims and develops a three-tier C&C infrastructure. The team used the popular Trojanized tools, such as archivers, applications file recovery, remote connection applications, utilities and even security software", to cover a wide range of options that targeted victims may be looking for," the researchers said.

With the timing of the analyzed malware samples used in the campaign coinciding with the Turkish attack in northeastern Syria (codenamed Operation Peace Spring) last October, Bitdefender reports that the attacks could have political motives.

StrongPity Turkey

Use of contaminated installation programs for "malware drop"

StrongPity (or Promethium) was first made public in October 2016 after attacks on users in Belgium and Italy who used "watering holes" to deliver malicious versions of WinRAR and TrueCrypt file encryption software.

Since then, the APT group has been linked to a 2018 operation that abused the Türk Telekom network to redirect hundreds of users in Turkey and Syria to malicious StrongPity versions of the original. software.

So when targeted users try to download a legitimate application on the official website, a watering hole attack or redirection takes place. HTTP aimed at putting systems at risk.

Last July, AT&T Alien Labs found evidence of a new spyware campaign that exploited trojanized versions of WinBox and WinRAR router management software to install StrongPity and communicate with the opposing infrastructure.

The new method of attack identified by Bitdefender remains the same: it targets victims in Turkey and Syria using a predefined list IP exploiting hacked installers - including McAfee Security Scan Plus, Recuva, TeamViewer, WhatsApp and Piriform's CCleaner - hosted on local aggregate software and shared users.

"It is interesting that all the files that were investigated regarding the infected applications seem to have been compiled from Monday to Friday, during a regular eight hours work type 9 in the morning to 6 in the afternoon ", said the researchers. "This reinforces the idea that StrongPity could be a funded and organized group of developers paid to deliver specific 'projects.'

Once you have downloaded and run the malware installation program, the backdoor is installed, which establishes communication with a command and control server to delete documents and retrieve commands that will be executed.

It also develops a "File Searcher" component in the victim's machine that surrounds each drive and searches for files with specific extensions (eg Microsoft Office documents) that will be extracted in the form of a ZIP file.

This ZIP file is then split into many hidden .sft encrypted files, sent to the C&C server, and finally deleted from the disk to cover any pieces of exfiltration.

Expansion beyond Syria and Turkey

Although Syria and Turkey may be their recurring targets, the threatening factor behind StrongPity seems to be expanding its victimization to infect users in Colombia, IndiaIn Canada and Vietnam using infected versions of Firefox, VPNpro, DriverPack and 5kPlayer.

Calling it StrongPity3, Cisco Talos researchers yesterday described an evolving malware toolbox that uses a module called “winprint32.exe” to start searching for documents and transmitting the collected files. In addition, its fake installation program Firefox checks if either an ESET software or an BitDefender antivirus is installed before the so-called "drop" of the malware.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


COVID-19: New research looks for antibodies in blood donors

The American Red Cross is examining the blood that has come from donations, and is looking for COVID-19 antibodies that will give it ...

Digital Transformation and Business: What Does Its Failure Mean?

Digital transformation is usually a way for businesses to outperform their competitors and get rid of methods that ...

Covaxin: India releases COVID-19 vaccine in August

The whole planet is waiting for the release of the vaccine for coronavirus, while clinical trials have begun in many countries around the world ....

iOS 13.5.1: iPhone users report battery issues

Have you noticed any changes to your iPhone lately? Maybe, for example, the battery runs out quickly ...

Avaddon ransomware: Attacks through Excel 4.0 macros

Microsoft announced yesterday that Avaddon ransomware spread this week through an old technique that came to the fore again. The...

Apple: Prohibits updating Chinese Apps without permission

Apple is banning developers from updating existing apps in China's App Store if they don't have government approval.

Australia: Thousands of MyGov accounts are sold on the Dark Web

Access to more than 3600 MyGov accounts is being sold on the dark web, potentially exposing thousands of Australians to fraud and identity theft.

Party Time: Watch TV with your friends online

Party Time: Watch TV with your friends on the internet Time for a different party than you are used to, watching your favorite ...

CISA and FBI warn businesses of Tor's risks

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning to businesses regarding ...

openSUSE: The new Leap 15.2 hard drive has been released

Recently, the next stable version of the openSUSE operating system was released. According to the development team of the operating system, ...