Anti-Malware Research Whitepapers

StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure

StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure

Bitdefender researchers have recently found the APT group StrongPity has been targeting victims in Turkey and Syria. Using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic investigations, the APT group leveraged Trojanized popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking.

The data gathered while investigating this group suggests the attackers are interested especially in the Kurdish community, placing the threat in the geo-political context of the constant conflicts in the region.

Interestingly, the samples used in one of the attackers’ campaigns seems to have been timestamped starting October 1st 2019, coinciding with the launch of the Turkish offensive into north-eastern Syria, code-named Operation Peace Spring. While there is no direct forensic evidence suggesting that the StrongPity APT group operated in support of Turkish military operations, the victim’s profile coupled with the timestamps on the analyzed samples make for an interesting coincidence.

Key Findings:

  • Potentially state-sponsored APT Group with political motivation
  • Ability to search for and exfiltrate any file or document from a victim’s machine Watering hole tactic that selectively targets victims in Turkey and Syria using pre-defined IP list
  • 3-tiered C&C infrastructure for covering tracks and thwarting forensic investigation
  • Use of fully working Trojanized popular tool

Interestingly, all files investigated pertaining to the tainted applications appear to have been compiled from Monday to Friday, during normal 9 to 6 UTC+2 working hours. This strengthens the idea that StrongPity could be a sponsored and organized developer team paid to deliver certain “projects.”

Victims are screened based on a $targets list, suggesting that attackers can deliver the tainted version of the Trojanized applications if the victim’s IP address matches one found in the file, otherwise a legitimate version of the application would be served. However, the investigated ones revealed that any valid connection would get the malicious installer instead of the clean one.

Once the victim is compromised, components pertaining to persistency, command and control communication, and file searching are deployed on the victim’s machine. Based on instructions, the exfiltration component runs a file searching mechanism responsible for looping through drives looking for files with specific extensions. If found, they are placed in a temporary zip archive. They will be split into hidden .sft encrypted files, sent to the C&C server, and ultimately deleted from the disk to cover any tracks of the exfiltration.

For a more detailed investigation into the analyzed infrastructure behind the StrongPity APT, check out the whitepaper below. An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known indicators of compromise can be found in the whitepaper below.

Download the whitepaper

About the author

Avatar

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

About the author

Radu Tudorica

Radu Tudorica

Radu TUDORICA is a security researcher at Bitdefender and he's based Iasi, Romania. Passionate about malware research, advanced persistent threats, and cybercrime investigations, his hobbies involve reverse engineering and taking hardware apart and putting it back together again.

About the author

Cristina VATAMANU

Cristina VATAMANU

Senior Team Lead, Cyber Threat Intelligence Lab

Cristina Vatamanu is Senior Team Lead in the Cyber Threat intelligence Lab at Bitdefender. She is based in Iasi, Romania, and has more than 10 years of forensic work under her belt, being involved in malware analysis, cybercrime investigations, research projects for antimalware tools optimization. She graduated Computer Sciences and she has a PHD degree in machine learning used in hybrid models dedicated in detecting malicious programs.

About the author

Alexandru MAXIMCIUC

Alexandru MAXIMCIUC

Team Lead, Cyber Threat Intelligence Lab

Alexandru "Sasha" Maximciuc is a veteran security researcher with more than a decade of experience. His research is mostly focused on exploits, advanced persistent threats, cybercrime investigations, and packing technologies.

Add Comment

Click here to post a comment