Cybersecurity researchers today uncovered new details of watering hole attacks against the Kurdish community in Syria and Turkey for surveillance and intelligence exfiltration purposes.
The advanced persistent threat behind the operation, called StrongPity, has retooled with new tactics to control compromised machines, cybersecurity firm Bitdefender said in a report shared with The Hacker News.
“Using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic investigations, the APT group leveraged Trojanized popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking,” the researchers said.
With the timestamps of the analyzed malware samples used in the campaign coinciding with the Turkish offensive into north-eastern Syria (codenamed Operation Peace Spring) last October, Bitdefender said the attacks could have been politically motivated.
Using Tainted Installers to Drop Malware
StrongPity (or Promethium) was first publicly reported on in October 2016 after attacks against users in Belgium and Italy that used watering holes to deliver malicious versions of WinRAR and TrueCrypt file encryption software.
Since then, the APT has been linked to a 2018 operation that abused Türk Telekom’s network to redirect hundreds of users in Turkey and Syria to malicious StrongPity versions of authentic software.
Thus when the targeted users attempt to download a legitimate application on the official website, a watering hole attack or an HTTP redirect is carried out to compromise the systems.
Last July, AT&T Alien Labs found evidence of a fresh spyware campaign that exploited trojanized versions of WinBox router management software and WinRAR file archiver to install StrongPity and communicate with the adversary infrastructure.
The new attack method identified by Bitdefender remains the same: target victims in Turkey and Syria using predefined IP list by leveraging tampered installers — including McAfee Security Scan Plus, Recuva, TeamViewer, WhatsApp, and Piriform’s CCleaner — hosted on localized software aggregates and sharers.
“Interestingly, all files investigated pertaining to the tainted applications appear to have been compiled from Monday to Friday, during normal 9 to 6 UTC+2 working hours,” the researchers said. “This strengthens the idea that StrongPity could be a sponsored and organized developer team paid to deliver certain ‘projects.'”
Once the malware dropper is downloaded and executed, the backdoor is installed, which establishes communication with a command and control server for document exfiltration and for retrieving commands to be executed.
It also deploys a “File Searcher” component on the victim’s machine that loops through every drive and looks for files with specific extensions (e.g., Microsoft Office documents) to be exfiltrated in the form of a ZIP archive.
This ZIP file is then split into multiple hidden “.sft” encrypted files, sent to the C&C server, and ultimately deleted from the disk to cover any tracks of the exfiltration.
Expanding Beyond Syria and Turkey
Although Syria and Turkey may be their recurring targets, the threat actor behind StrongPity appears to be expanding their victimology to infect users in Colombia, India, Canada, and Vietnam using tainted versions of Firefox, VPNpro, DriverPack, and 5kPlayer.
Calling it StrongPity3, Cisco Talos researchers yesterday described an evolving malware toolkit that employs a module called “winprint32.exe” to launch the document search and transmit the collected files. What’s more, the fake Firefox installer also checks if either ESET or BitDefender antivirus software is installed before dropping the malware.
“These characteristics can be interpreted as signs that this threat actor could in fact be part of an enterprise service for hire operation,” the researchers said. “We believe this has hallmarks a professionally packaged solution due to the similarity of each piece of malware being extremely similar but used across different targets with minor changes.”