StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure
Bitdefender researchers have recently found the APT group StrongPity has been targeting victims in Turkey and Syria. Using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic investigations, the APT group leveraged Trojanized popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking.
The data gathered while investigating this group suggests the attackers are interested especially in the Kurdish community, placing the threat in the geo-political context of the constant conflicts in the region.
Interestingly, the samples used in one of the attackers’ campaigns seems to have been timestamped starting October 1st 2019, coinciding with the launch of the Turkish offensive into north-eastern Syria, code-named Operation Peace Spring. While there is no direct forensic evidence suggesting that the StrongPity APT group operated in support of Turkish military operations, the victim’s profile coupled with the timestamps on the analyzed samples make for an interesting coincidence.
- Potentially state-sponsored APT Group with political motivation
- Ability to search for and exfiltrate any file or document from a victim’s machine Watering hole tactic that selectively targets victims in Turkey and Syria using pre-defined IP list
- 3-tiered C&C infrastructure for covering tracks and thwarting forensic investigation
- Use of fully working Trojanized popular tool
Interestingly, all files investigated pertaining to the tainted applications appear to have been compiled from Monday to Friday, during normal 9 to 6 UTC+2 working hours. This strengthens the idea that StrongPity could be a sponsored and organized developer team paid to deliver certain “projects.”
Victims are screened based on a $targets list, suggesting that attackers can deliver the tainted version of the Trojanized applications if the victim’s IP address matches one found in the file, otherwise a legitimate version of the application would be served. However, the investigated ones revealed that any valid connection would get the malicious installer instead of the clean one.
Once the victim is compromised, components pertaining to persistency, command and control communication, and file searching are deployed on the victim’s machine. Based on instructions, the exfiltration component runs a file searching mechanism responsible for looping through drives looking for files with specific extensions. If found, they are placed in a temporary zip archive. They will be split into hidden .sft encrypted files, sent to the C&C server, and ultimately deleted from the disk to cover any tracks of the exfiltration.
For a more detailed investigation into the analyzed infrastructure behind the StrongPity APT, check out the whitepaper below. An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known indicators of compromise can be found in the whitepaper below.
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
July 21, 2021
How We Tracked a Threat Group Running an Active Cryptojacking Campaign
July 14, 2021
A Note from the Bitdefender Labs Team on Ransomware and Decryptors
May 26, 2021
New Nebulae Backdoor Linked with the NAIKON Group
April 28, 2021
Good riddance, GandCrab! We’re still fixing the mess you left behind.
June 17, 2019
FOLLOW US ON
You might also like
July 14, 2021