StrongPity, aka Promethium, a potentially state-sponsored APT group active since 2012, isn’t letting exposed campaigns in recent years stop it from trying to install malware around the world, particularly in warzones such as Syria.
Two separate reports this week from Cisco Talos and Bitdefender suggest the attackers are getting more aggressive in their geo-targeted malicious activities.
The infection vector appears to be a global moving target. Recent StrongPity3 attempts identified by Talos focused on Colombia, India, Canada and Vietnam.
Meanwhile, Bitdefender tracked a campaign starting Oct. 1, 2019, that targeted victims in Turkey and Syria, suggesting that the attackers are interested in the Kurdish conflict.
“Promethium has been resilient over the years,” Talos’ post stated. “Its campaigns have been exposed several times, but that was not enough to make the actors behind it to make them stop.”
Talos matched indicators such as code similarity, command and control (C2) paths, toolkit structure and malicious behavior, resulting in approximately 30 new C2 domains.
Despite the number of samples and quantity of C2 servers, Cisco Talos did not identify the infection vectors because it couldn’t come up with evidence that the websites of the real applications were compromised to host the malicious installer. The infection vector also does not seem to be related to a supply-chain attack.
The security research firm also identified at least four new trojanized setup files: Firefox (a browser), VPNpro (a VPN client), DriverPack (a pack of drivers) and 5kPlayer (a media player).
Promethium focuses mainly on espionage, and its latest campaigns appear to share the same modus operandus. The malware exfiltrates any Microsoft Office file it encounters on the system.
Talos noted that the use of trojanized installation files to well-known applications is consistent with previously documented campaigns StrongPity3, leading it to believe that just like in the past, the initial vector may be either a watering hole attack or in-path request interception like mentioned in a CitizenLab report from 2018.
On the other hand, Talos believes the number of hits suggests infection vectors are still active. The trojanized setup installs malware and the legitimate application, which, Talos pointed out, is a good way to disguise activities. In some cases, the scheme reconfigures Windows Defender before dropping the malware to prevent detection.
Focusing on northeastern Syrian border, Bitdefender said it couldn’t find direct forensic evidence suggesting that the StrongPity APT group operated in support of Turkish military operations. But after analyzing a victim’s profile and timestamps, the security drew an interesting coincidence pointing to a potentially state-sponsored APT Group with political motivation.
Furthermore, Bitdefender believes StrongPity used a fully working Trojanized tool enabling the search and exfiltration of any file or document from a victim’s machine. Liker Talos, it also discovered a watering hole tactic that selectively targets victims in Turkey and Syria using a pre-defined IP list, as well as a 3-tiered C&C infrastructure for covering tracks and thwarting forensic investigation.
“Zooming in, we were able to observe that most of the targets are located near the border between Turkey and Syria, as well as in Istanbul, enforcing the idea that this threat might be involved in the geopolitical conflict between Turkey and the Kurdish community,” Bitdefender surmised.