Security researchers from Bitdefender have detailed a new cyber espionage campaign aimed against victims in Turkey and Syria.
The threat actor behind this operation is StrongPity (Promethium), a state-sponsored hacker group that has been active since at least 2012. First reports about this group emerged in 2016 with details of attacks against users in Belgium and Italy. Two years later, in 2018, the StrongPity APT has been observed targeting Turkish telecommunication companies.
In the new campaign the StrongPity APT has updated its tactics to control compromised machines.
“Using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic investigations, the APT group leveraged Trojanized popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking,” the report said.
In the observed attacks the group has used two types of servers for delivering malicious installers used in the initial compromise (download servers) and command and control servers, used for data exfiltration and interaction with victims.
The new attack method also involved the attackers leveraging tampered installers, including 7-zip and WinRAR, McAfee Security Scan Plus, Recuva, TeamViewer, WhatsApp, and Piriform's CCleaner, hosted on localized software aggregates and sharers.
“Interestingly, all files investigated pertaining to the tainted applications appear to have been compiled from Monday to Friday, during normal 9 to 6 UTC+2 working hours. This strengthens the idea that StrongPity could be a sponsored and organized developer team paid to deliver certain 'projects,” the researchers said.
The victims are selected based on a predefined targets list, suggesting the attackers can deliver weaponized versions of applications if the IP address matches one found in the file, however, in all observed cases “any valid connection would get the malicious installer instead of the clean one.”
After the victim computer has been compromised, the attackers deployed tools that allowed them to achieve persistence, communicate with command and control servers and search for valuable information.
“Based on instructions, the exfiltration component runs a file searching mechanism responsible for looping through drives looking for files with specific extensions. If found, they are placed in a temporary zip archive. They will be split into hidden .sft encrypted files, sent to the C&C server, and ultimately deleted from the disk to cover any tracks of the exfiltration,” Bitdefender said.