Cybersecurity researchers today revealed new details about attacks on the Kurdish community in Syria and Turkey aimed at exfiltration of information. StrongPity hackers have returned with new tactics to control hacked systems, Bitdefender said in a report shared with The Hacker News.
It uses regular "watering holes" to selectively infect victims and develops a three-tier C&C infrastructure. The team used the popular Trojanized tools, such as archivers, applications file recovery, remote connection applications, utilities and even security software", to cover a wide range of options that targeted victims may be looking for," the researchers said.
With the timing of the analyzed malware samples used in the campaign coinciding with the Turkish attack in northeastern Syria (codenamed Operation Peace Spring) last October, Bitdefender reports that the attacks could have political motives.
Use of contaminated installation programs for "malware drop"
StrongPity (or Promethium) was first made public in October 2016 after attacks on users in Belgium and Italy who used "watering holes" to deliver malicious versions of WinRAR and TrueCrypt file encryption software.
Since then, the APT group has been linked to a 2018 operation that abused the Türk Telekom network to redirect hundreds of users in Turkey and Syria to malicious StrongPity versions of the original. software.
So when targeted users try to download a legitimate application on the official website, a watering hole attack or redirection takes place. HTTP aimed at putting systems at risk.
Last July, AT&T Alien Labs found evidence of a new spyware campaign that exploited trojanized versions of WinBox and WinRAR router management software to install StrongPity and communicate with the opposing infrastructure.
The new method of attack identified by Bitdefender remains the same: it targets victims in Turkey and Syria using a predefined list IP exploiting hacked installers - including McAfee Security Scan Plus, Recuva, TeamViewer, WhatsApp and Piriform's CCleaner - hosted on local aggregate software and shared users.
"It is interesting that all the files that were investigated regarding the infected applications seem to have been compiled from Monday to Friday, during a regular eight hours work type 9 in the morning to 6 in the afternoon ", said the researchers. "This reinforces the idea that StrongPity could be a funded and organized group of developers paid to deliver specific 'projects.'
Once you have downloaded and run the malware installation program, the backdoor is installed, which establishes communication with a command and control server to delete documents and retrieve commands that will be executed.
It also develops a "File Searcher" component in the victim's machine that surrounds each drive and searches for files with specific extensions (eg Microsoft Office documents) that will be extracted in the form of a ZIP file.
This ZIP file is then split into many hidden .sft encrypted files, sent to the C&C server, and finally deleted from the disk to cover any pieces of exfiltration.
Expansion beyond Syria and Turkey
Although Syria and Turkey may be their recurring targets, the threatening factor behind StrongPity seems to be expanding its victimization to infect users in Colombia, IndiaIn Canada and Vietnam using infected versions of Firefox, VPNpro, DriverPack and 5kPlayer.
Calling it StrongPity3, Cisco Talos researchers yesterday described an evolving malware toolbox that uses a module called “winprint32.exe” to start searching for documents and transmitting the collected files. In addition, its fake installation program Firefox checks if either an ESET software or an BitDefender antivirus is installed before the so-called "drop" of the malware.