StrongPity APT Back with Kurdish-Aimed Watering Hole Attacks

strongpity apt kurds watering hole

The spy malware is being delivered via a complex infrastructure with multiple layers, in an effort to avoid analysis.

The APT group known as StrongPity is back with a new watering-hole campaign, targeting mainly Kurdish victims in Turkey and Syria. The malware served offers operators the ability to search for and exfiltrate any file or document from a victim’s machine.

The group (a.k.a. Promethium) is operating a series of bogus websites purporting to offer a range of popular software utilities. The tools on offer are trojanized versions of archivers, file-recovery applications, remote-connection applications, security software and more. These include 7-zip, WinRAR archiver, McAfee Security Scan Plus, Recuva, TeamViewer, WhatsApp, Piriform CCleaner, CleverFiles Disk Drill, DAEMON Tools Lite, Glary Utilities and RAR Password Unlocker.

The sheer variety of the trojanized applications on offer in the latest campaign is a method aimed at casting a wide net in terms of victims’ interests, according to researchers at Bitdefender in a report released Tuesday. That’s not to say however that the attacks are devoid of targeting.

The effort selectively targets victims using pre-defined IP list, researchers said; if the victim’s IP address matches one found in the installer’s configuration file, the attackers can deliver a tainted version of the trojanized application. Otherwise, they deliver a legitimate version. The IPs on the list appear to correspond to Kurdish targets, according to the research.

And as with previous StrongPity campaigns, the malware, once installed, has an “exfiltration component [that] runs a file-searching mechanism responsible for looping through drives looking for files with specific extensions,” according to the analysis. “If found, they are placed in a temporary .ZIP archive. They will be split into hidden .SFT encrypted files, sent to the C2 server, and ultimately deleted from the disk to cover any tracks of the exfiltration.”

Behind the scenes, StrongPity is using two types of servers, used to fulfill two main roles: Download servers that deliver the poisoned installer used in the initial compromise of victims; and C2 servers.

“From what was observed in the wild, StrongPity actors were able to tamper with some localized software aggregates and sharers,” according to Bitdefender’s analysis. “Usually, website visitors, when trying to download a certain installer, are redirected to a dedicated download server, as a result of a rewritten request to the legitimate server.”

The malicious installers that are subsequently dropped on victims’ machines use a custom bundler/dropper, digitally signed (with a self-signed certificate), that include the malicious components and the original, legitimate software product.

“Once the malicious installer is downloaded and executed, the backdoor is installed,” explained Bitdefender. “The backdoor will communicate with a command-and-control server, embedded into its binary, for document exfiltration and for retrieving commands to be executed, depending on the importance of the victim.”

Meanwhile, the group uses a multi-tiered C2 infrastructure for covering its tracks and thwarting forensic investigation, in the form of different sets of proxy servers. The first layer is made up of IPs to which the malware will try to connect.

“Each of these IPs has a unique domain associated to it that is embedded in the binary,” according to Bitdefender. “These are in fact proxies to other machines.”

These nodes then use the PHP curl bindings to forward the request to the next server in the chain, which usually is located in a different country and at a different provider. “The communication between the first layer and its upstream target is HTTPS (but the certificate is not verified) on an unusual TCP port for this protocol – 1402,” researchers added.

The second layer is composed of the IP addresses that the first layer forwards data to. These IPs do not have any domains linked to them, but do have multiple first-layer IPs pointing to them.

In an additional layer, the threat actors use a VPN service for connecting and administrating the servers, usually from or, according to Bitdefender.

“In terms of infrastructure, we were able to map 47 servers with different functionalities,” researchers wrote. “It does not seem that the threat actor prefers a particular hosting provider or region to set up the infrastructure, but most of them are in Europe.”


This particular campaign’s victimology dovetails with previous reports, such as a 2018 analysis from Citizen Lab, which shows the group to have been particularly active in Turkey and Syria.

“The data gathered while investigating this group suggests the attackers are interested especially in the Kurdish community, placing the threat in the geo-political context of the constant conflicts in the region,” according to Bitdefender’s analysis, released Tuesday. “The samples used in one of the attackers’ campaigns seems to have been timestamped starting October 1, 2019, coinciding with the launch of the Turkish offensive into northeastern Syria, code-named Operation Peace Spring.”

That said, the StrongPity APT group doesn’t necessarily operate in support of Turkish military operations, to be clear: Bitdefender speculated that the APT could be a mercenary, cybersoldier-for-hire outfit.

“During our investigation, we were able to gather several samples of these tampered installers,” the researchers wrote. “Each initial dropper has a compile time, the exact date the tampered installer was created. When we investigated this aspect, we observed that all the files we managed to retrieve were compiled from Monday to Friday, a normal work week…This strengthens the idea that StrongPity could be a sponsored and organized developer team paid to deliver certain projects.”

Additional analysis of older 2019 campaigns from Cisco Talos, released on Monday, meanwhile found that the group’s victimology has expanded behind their initial focus in Europe and Middle East into becoming a global operation targeting organizations on most continents. The malware samples the firm examined (hiding inside trojanized setup files for Firefox (a browser), VPNpro (a VPN client), DriverPack (a pack of drivers) and 5kPlayer (a media player) all related to targeted victims in Colombia, India, Canada and Vietnam.

“These characteristics can be interpreted as signs that this threat actor could in fact be part of an enterprise service-for-hire operation,” researchers at Cisco Talos noted. “We believe this has hallmarks a professionally packaged solution due to the similarity of each piece of malware being extremely similar but used across different targets with minor changes.”

StrongPity Evolves Over Time

StrongPity was first publicly reported in October 2016 (but likely has been in operation since 2012), after attacks against users in Belgium and Italy where it used watering-hole attacks to deliver malicious versions of WinRAR and the TrueCrypt file encryption software. Kaspersky researchers described the actor as a characteristic APT outfit using its share of zero-days vulnerabilities and modular attack tools to infiltrate victims and conduct espionage.

That was followed by more research in 2016 from Microsoft, which called the malware Promethium, showing the group targeting individuals in Europe with zero-day vulnerabilities. Then in 2017, ESET researchers identified a Promethium/StrongPity variant being used at the ISP level in two unnamed countries, signaling a change in approach.

It showed up again in March 2018, when the aforementioned Citizen Lab report said that researchers had uncovered the APT attacking at an ISP level, by abusing Sandvine/Procera deep packet inspection (DPI) hardware in Türk Telekom’s network. DPI boxes are typically used by ISPs to help manage traffic loads on their networks and enable policy-based, application-aware bandwidth management; the idea is to ensure that consumers don’t feel internet slowdowns during periods of heavy traffic.

However, Citizen Lab said that it saw the threat group compromising these legitimate DPI boxes to insert the StrongPity malware into otherwise benign traffic, targeting regions in Turkey.

“The middleboxes were being used to redirect hundreds of users in Turkey and Syria to nation-state spyware when those users attempted to download certain legitimate Windows applications,” Citizen Lab said at the time.

Sandvine denied the intimation that this was being done with the complicity of the ISP itself, but regardless of attribution, the report had an effect on the StrongPity gang: Just two weeks after it was published, Cylance observed new Promethium/StrongPity activity with altered tactics, utilizing new infrastructure.

This ongoing revamping after public disclosure of a campaign is a hallmark of the StrongPity actors, Cisco Talos researchers said.

“The Promethium threat actor — active since 2012 — has been exposed multiple times over the past several years,” Cisco Talos researchers wrote this week. “However, this has not deterred this actor from continuing and expanding their activities. By matching indicators such as code similarity, command and control (C2) paths, toolkit structure and malicious behavior, Cisco Talos identified around 30 new C2 domains [in 2019].”

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles