18 July 2019

StrongPity APT deploys malicious versions of WinBox and WinRAR in ongoing attacks

StrongPity APT deploys malicious versions of WinBox and WinRAR in ongoing attacks

Researchers from AT&T’s Alien Labs division uncovered an ongoing spyware campaign, which uses malicious versions of WinRAR and other legitimate software packages to compromise targets. The researchers believe the attackers behind this campaign is an advanced persistent threat (APT) known as StrongPity (a.k.a. Promethium).

StrongPity was first publicly reported on in October 2016 with details on attacks against users in Belgium and Italy in mid-2016. In this campaign, StrongPity used watering holes to deliver malicious versions of WinRAR and TrueCrypt file encryption software. StrongPity was reported on again in 2017 and 2018, but the exposure of its activity didn't deter the group and in 2019 it has come up with new malware, which is now targeting users located in Turkey.

One of malicious samples is an installer for WinBox, a utility that allows administration of Mikrotik RouterOS using a simple GUI. The malicious version of the software silently installs StrongPity malware and then operates as if it were a standard unaltered version of the trusted software. The malware scans for the stored documents and retains the ability for further remote access. The malicious installer downloads the StrongPity malware into the Windows Temporary directory as %temp%\DDF5-CC44CDB42E5\wintcsr.exe. Similar to previous StrongPity’s attacks, the malware communicates with the command and control server over SSL.

Apart from abovementioned sample, the group is using a variety of other software as installers for the StrongPity malware, in particular, newer versions WinRAR and a tool called Internet Download Manager (IDM), which maliciously installs StrongPity and communicates with related adversary infrastructure.

Although researchers were unable to identify specific details about how the malicious installers are delivered, they believe that threat actor is likely using methods previously documented by the previous reports of StrongPity, such as regional download redirecting from ISPs.

“Overall, the identified TTPs, newer versions of StrongPity, and the legitimate software used to deliver it operate in ways similar to how the adversary has historically operated. This is likely due to the high amounts of operational success for the adversary with minimal modification to evade detection following public reporting over the years,” concluded Alien Labs.

A full list of Indicators of Compromise (IoCs) is available in company blog post.

 

 

 

Back to the list

Latest Posts

North Korean hackers adopt a new technique to infect macOS machines

North Korean hackers adopt a new technique to infect macOS machines

The found sample appears to be the Lazarus group's first in-memory malware targeting the Apple operating system.
6 December 2019
New destructive wiper ZeroCleare targets industrial and energy organizations in the Middle East

New destructive wiper ZeroCleare targets industrial and energy organizations in the Middle East

The ZeroCleare malware bears some similarity with the infamous Shamoon wiper.
5 December 2019
TrickBot operators set their sights on Japanese banks ahead of holiday season

TrickBot operators set their sights on Japanese banks ahead of holiday season

While the TrickBot malware has been spotted in other regions, this marks the first time TrickBot has been seen at Japanese banks.
4 December 2019