18 July 2019

StrongPity APT deploys malicious versions of WinBox and WinRAR in ongoing attacks

StrongPity APT deploys malicious versions of WinBox and WinRAR in ongoing attacks

Researchers from AT&T’s Alien Labs division uncovered an ongoing spyware campaign, which uses malicious versions of WinRAR and other legitimate software packages to compromise targets. The researchers believe the attackers behind this campaign is an advanced persistent threat (APT) known as StrongPity (a.k.a. Promethium).

StrongPity was first publicly reported on in October 2016 with details on attacks against users in Belgium and Italy in mid-2016. In this campaign, StrongPity used watering holes to deliver malicious versions of WinRAR and TrueCrypt file encryption software. StrongPity was reported on again in 2017 and 2018, but the exposure of its activity didn't deter the group and in 2019 it has come up with new malware, which is now targeting users located in Turkey.

One of malicious samples is an installer for WinBox, a utility that allows administration of Mikrotik RouterOS using a simple GUI. The malicious version of the software silently installs StrongPity malware and then operates as if it were a standard unaltered version of the trusted software. The malware scans for the stored documents and retains the ability for further remote access. The malicious installer downloads the StrongPity malware into the Windows Temporary directory as %temp%\DDF5-CC44CDB42E5\wintcsr.exe. Similar to previous StrongPity’s attacks, the malware communicates with the command and control server over SSL.

Apart from abovementioned sample, the group is using a variety of other software as installers for the StrongPity malware, in particular, newer versions WinRAR and a tool called Internet Download Manager (IDM), which maliciously installs StrongPity and communicates with related adversary infrastructure.

Although researchers were unable to identify specific details about how the malicious installers are delivered, they believe that threat actor is likely using methods previously documented by the previous reports of StrongPity, such as regional download redirecting from ISPs.

“Overall, the identified TTPs, newer versions of StrongPity, and the legitimate software used to deliver it operate in ways similar to how the adversary has historically operated. This is likely due to the high amounts of operational success for the adversary with minimal modification to evade detection following public reporting over the years,” concluded Alien Labs.

A full list of Indicators of Compromise (IoCs) is available in company blog post.

 

 

 

Back to the list

Latest Posts

New Mirai variant hides its C&Cs in Tor network for anonymity

New Mirai variant hides its C&Cs in Tor network for anonymity

The use of Tor network helps the malware operators to conceal its command and control servers and to avoid detection.
1 August 2019
New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list.
31 July 2019
Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

URGENT/11 vulnerabilities pose a serious risk as they allow attackers to take over devices with no user interaction required.
30 July 2019
Featured vulnerabilities
Multiple vulnerabilities in FreeBSD
Medium Patched | 21 Aug, 2019
Denial of service in Siemens SCALANCE X Switches
Medium Not Patched | 21 Aug, 2019
Multiple vulnerabilities in Siemens SCALANCE Products
Medium Not Patched | 21 Aug, 2019