Researchers from AT&T’s Alien Labs division uncovered an ongoing spyware campaign, which uses malicious versions of WinRAR and other legitimate software packages to compromise targets. The researchers believe the attackers behind this campaign is an advanced persistent threat (APT) known as StrongPity (a.k.a. Promethium).
StrongPity was first publicly reported on in October 2016 with details on attacks against users in Belgium and Italy in mid-2016. In this campaign, StrongPity used watering holes to deliver malicious versions of WinRAR and TrueCrypt file encryption software. StrongPity was reported on again in 2017 and 2018, but the exposure of its activity didn't deter the group and in 2019 it has come up with new malware, which is now targeting users located in Turkey.
One of malicious samples is an installer for WinBox, a utility that allows administration of Mikrotik RouterOS using a simple GUI. The malicious version of the software silently installs StrongPity malware and then operates as if it were a standard unaltered version of the trusted software. The malware scans for the stored documents and retains the ability for further remote access. The malicious installer downloads the StrongPity malware into the Windows Temporary directory as %temp%\DDF5-CC44CDB42E5\wintcsr.exe. Similar to previous StrongPity’s attacks, the malware communicates with the command and control server over SSL.
Apart from abovementioned sample, the group is using a variety of other software as installers for the StrongPity malware, in particular, newer versions WinRAR and a tool called Internet Download Manager (IDM), which maliciously installs StrongPity and communicates with related adversary infrastructure.
Although researchers were unable to identify specific details about how the malicious installers are delivered, they believe that threat actor is likely using methods previously documented by the previous reports of StrongPity, such as regional download redirecting from ISPs.
“Overall, the identified TTPs, newer versions of StrongPity, and the legitimate software used to deliver it operate in ways similar to how the adversary has historically operated. This is likely due to the high amounts of operational success for the adversary with minimal modification to evade detection following public reporting over the years,” concluded Alien Labs.
A full list of Indicators of Compromise (IoCs) is available in company blog post.