StrongPity APT Returns with Retooled Spyware

strongpity apt

The group is using malicious versions of WinRAR and other legitimate software packages to infect targets, likely via watering-hole attacks.


The APT group behind the sophisticated malware known as StrongPity (a.k.a. Promethium) has mounted a fresh spyware campaign that is still ongoing as of July 2019. The group has retooled with new malware to control compromised machines, according to researchers.

“The new malware samples [first identified in early July] have been unreported and generally appear to have been created and deployed to targets following a toolset rebuild in response to the public reporting during the fourth quarter of 2018,” according to the analysis from AT&T’s Alien Labs division, released Wednesday and shared with Threatpost. “Based on compilation times, infrastructure build and use and public distribution of samples, we assess the activity continues to operate successfully as of this report.”

The revamped malware, which is now targeting users located in Turkey, is similar to the group’s hallmark StrongPity/Prometheus code, according to the research, with complete spyware capability. It’s built to locate sensitive documents while establishing a persistent backdoor for remote access.

“The spyware seeks out document files types on victim hosts, in addition to complete host details,” Tom Hegel, security researcher at AT&T Alien Labs, told Threatpost. “While not completely unique to this report, it’s an interesting trend as it helps guide the potential interests the attacker has on collecting/stealing victim data. Additionally the malware does communicate completely over SSL, so detections at the network layer may present challenges to defenders.”

As an initial infection vector, StrongPity is deploying malicious versions of the WinBox router management software, the WinRAR free encryption and file-compression utility popular with security and privacy-conscious users, and other trusted software, according to research. For instance, one sample hides within an installer for WinBox, a utility that allows administration of Mikrotik RouterOS using a simple GUI.

“The malicious version of the software installs StrongPity’s malware without any obvious signs to the victim, and then operates as if it were a standard unaltered version of the trusted software,” researchers explained. “The malicious WinBox installer drops the StrongPity sample into the Windows Temporary directory…[and] similar to previous reports of StrongPity, the malware communicates with the command-and-control (C2) server over SSL.”

The analysis also uncovered the group using newer versions of WinRAR and a tool called Internet Download Manager (IDM) to hide the malware. It’s likely that the targets are technically-focused types, the researchers said, given these choices.

The malware beacons out to a known beacon destination used in previous StrongPity campaigns, the report added.

“Overall, the identified TTPs, newer versions of StrongPity, and the legitimate software used to deliver it operate in ways similar to how the adversary has historically operated,” Alien Labs researchers said. “This is likely due to the high amounts of operational success for the adversary with minimal modification to evade detection following public reporting over the years.”

Hegel said that the constant reinvention doesn’t necessarily translate into sophistication.

“Rather than a high level of sophistication, I’d say they are just more aware of public exposure,” he told Threatpost. “If they are operating as a business, this makes sense to simply stay operational. Based on our findings and the findings of past reports, we can assess they likely have access to the capability of mass traffic manipulation and potential government involvement.”

He added that StrongPity is also potentially selling the malware’s capability to multiple entities for their own white-labeled use.

StrongPity was first publicly reported in October 2016, after attacks against users in Belgium and Italy where it used watering-hole attacks to deliver malicious versions of WinRAR and the TrueCrypt file encryption software. Kaspersky researchers described the actor as a characteristic APT outfit using its share of zero-days vulnerabilities and modular attack tools to infiltrate victims and conduct espionage.

That was followed by more research in 2016 from Microsoft, which called the malware Promethium, showing the group targeting individuals in Europe with zero-day vulnerabilities. Then in 2017, ESET researchers identified a Promethium/StrongPity variant being used at the ISP level in two unnamed countries, signaling a change in approach.

It showed up again in March 2018, when the Citizen Lab reported on activity against users in Turkey and Syria. Researchers said that they had uncovered the APT attacking at an ISP level, by abusing Sandvine/Procera deep packet inspection (DPI) hardware in Türk Telekom’s network. DPI boxes are typically used by ISPs to help manage traffic loads on their networks and enable policy-based, application-aware bandwidth management; the idea is to ensure that consumers don’t feel internet slowdowns during periods of heavy traffic.

However, Citizen Lab said that it saw the threat group compromising these legitimate DPI boxes to insert the StrongPity malware into otherwise benign traffic, targeting regions in Turkey.

“The middleboxes were being used to redirect hundreds of users in Turkey and Syria to nation-state spyware when those users attempted to download certain legitimate Windows applications,” Citizen Lab said at the time.

Sandvine denied the intimation that this was being done with the complicity of the ISP itself, but regardless of attribution, the report had an effect on the StrongPity gang: Just two weeks after it was published, Cylance observed new Promethium/StrongPity activity with altered tactics, utilizing new infrastructure.

This ongoing revamping after public disclosure of a campaign is a hallmark of the StrongPity actors, researchers said.

“The malware has continued to adapt as new information is published,” Cylance researchers explained at the time, echoing this week’s assessment by Alien Labs that public disclosure prompts changes in tactics for the group. “Defenders and those they serve would do well to think historically and look back more frequently to inspect the ‘living memory’ of threat actor behavior and campaigns in both the target organization’s history as well as that of the larger threat intelligence community.”

This post was updated at 2:09 p.m. ET on July 17, 2019 with additional details on the new malware.

Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More

Suggested articles