StrongPity APT back: targeting Syria and Turkey with new malware tools

Watering hole attacks against the Kurdish community in Syria and Turkey aiming to exfiltrate data revealed

Trojanized tools used in hacker campaigns

Trojanized tools used in hacker campaigns

Retooled spyware got used in new advanced StrongPity hacker attacks.[1] Cybersecurity researchers revealed that attacks in Syria and Turkey with surveillance and intelligence exfiltration purposes were held by the persistent threat operators known as StrongPity.[2] The report states that the hacker group used new tools and tactics to control the compromised machines.

Using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic investigations, the APT group leveraged Trojanized popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking.

The threat group also is known as Promethium, and these hackers have already been tracked because malicious actors used many trojanized installers and abused the popularity of legitimate applications.[3] The advanced persistent threat – ATP group has been active since 2002 and exposed by researchers many times, but the group remains active.

Key findings of the politically motivated attacks

Information gathering is the main purpose of these attacks and applications, remote connection tools, security software get trojanized to cover many targeted devices and provide options dir the data gathering from victims. During the investigation, it was found that the group is interested in the Kurdish community, and threat placement was based on geopolitical context and recent conflicts in the particular region.[4]

besides this state-sponsored factor and political motivation, it was revealed that APT Group can search for valuable information and gather any files, documents, details from the machine. The watering hole attack allows to select targets in Turkey and Syria and use pre-defined IP addresses. Tracks can be easily hidden by using the 3-tiered C&C infrastructure that allows evading the forensic investigations. Trojanizing popular tools also ensure that campaigns fully work in favor of malicious actors. 

When the device gets compromised and all the persistence ensuring components get laughed, data exfiltration procedures get launched on the machine. Specific filetype extensions are targeted in such attacks, so mechanisms loop around to find them. Temporary archives then get created and split into encrypted files. Eventually, these files get sent to the C&C server and deleted from the system, to avoid any tracking.

Spreading wider than Syria and Turkey

StrongPity was described as an evolving malware toolkit by researchers recently.[5] This is because the group uses a module called winprint32.exe and launched the document searching code that can find and transmit those collected files. The fake Firefox installed runs the check for security tools like Malwarebytes or ESET before the malware payload is dropped on the system.

These functions can indicate that malware creators can be part of the enterprise that is called hacker-for-hire. Also, even when the main targets are Syria and Turkey, hackers expand further and infect users’ devices in Colombia, India, Canada, Vietnam. Trojanized versions of Firefox, VPNpro, DriverPack, and other applications get used.

Investigation revealed at least 47 different servers with various functionalities. Researchers stats that group is released new campaigns been after being exposed, so this is the resilient group, and it is a question if Promethium is going to stop soon.

Its campaigns have been exposed several times, but that was not enough to make the actors behind it to make them stop.