What Is It?

Within days of each other, researchers at both BitDefender and Cisco Talos have released details of separate campaigns attributed to the StrongPity APT (Advanced Persistent Threat) group. This group, also known as Promethium, has been active since 2012 and has continued to operate undaunted, despite numerous previously published research findings, potentially indicating a nation state-sponsored group. The first of these was in October 2016 by Kaspersky and related to attacks against targets in Italy and Belgium during the middle of 2016. This was followed by a report from Microsoft in December 2016 with Microsoft referring to the group as Promethium. Since then, StrongPity have been the subject of reports from ESET in December 2017, Citizen Lab in March 2018, Cylance in October 2018 and Alien Labs in July 2019.

BitDefender’s report concerns attacks against targets in Turkey and Syria beginning in October 2019. However, the location of the infected systems and the timing suggest StrongPity was acting in support of Turkish military activity, though it is unknown whether there is any direct affiliation. A watering hole attack was used to deliver trojanized versions of legitimate applications to users with IP addresses of interest. If a user was not in the target IP range, the legitimate application was provided. Applications include common, popular software such as 7-Zip, WinRAR, Recuva, TeamViewer, CCleaner and even McAfee Security Scan Plus. The purpose of the malware is to scan for files (generally documents) with specified extensions and exfiltrate them. Researchers also noticed the compilation times of the malware suggests that the APT’s actors work during normal business hours, Monday to Friday.

The campaign described by Cisco Talos, which they named StrongPity3, began in July 2019. While the campaign mainly targeted users in Canada, Columbia, India and Vietnam, it has also infected users in Turkey, South Africa, Russia, Poland, Germany, France, Italy and the Netherlands. The focus of the malware remains the same, to locate and exfiltrate all documents from infected systems. They found StrongPity3 utilized trojanized versions of Firefox, VPNPro, 5kPlayer and DriverPack. The trojanized Firefox installer will abort if it determines either BitDefender or ESET anti-virus software is installed on the system.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. StrongPity have frequently used trojanized versions of legitimate applications and watering hole attacks to compromise the target’s systems.

When/How Did BluVector Detect It?

BitDefender’s report contained 133 publicly available samples and Cisco Talos’ report listed 100 publicly available malicious samples. When regression tested, BluVector’s patented Machine Learning Engine (MLE) detected all samples from both campaigns. Average detection was 21 months prior to release in the case of the BitDefender samples and 28 months for the Cisco Talos samples.