Security Experts:

Cyber-Espionage Group StrongPity Focuses on Kurdish Community

Recent attacks associated with the threat actor known as StrongPity appear to focus on the Kurdish community in Turkey and Syria, Bitdefender security researchers say.

Active since at least 2012 and also tracked as Promethium, the threat actor was initially detailed in 2016, when it mainly focused on victims in Italy, Turkey, and Belgium. The group is believed to be state-sponsored, but there appears to be little evidence to support that.

Despite the publishing of several reports detailing its activities, the threat actor remains active and continues to target victims in various regions, including Colombia, India, Canada and Vietnam, Cisco Talos reveals. Despite that, however, most of the group’s victims are located in Turkey, says Bitdefender.

The group’s tools, tactics, and procedures (TTPs) saw few changes over the past four years, and it continues to rely on trojanized installers of well-known applications to infect its victims. Furthermore, the actor appears to continue relying on watering hole attacks.

StrongPity is known to engage in cyber-espionage, and the recently observed campaigns are no different. However, the adversary appears to have expanded its operations to new regions, past the previously targeted Europe, Northern Africa and the Middle East geographies.

Over the past year, the threat actor has been conducting at least three different campaigns, which are believed to be overlapping. Furthermore, some of the domains used in these attacks still receive hits, suggesting that they continue to be an active infection vector.

Since July 2019, the group has used four new trojanized applications, namely the Firefox browser, the VPNpro VPN client, the DriverPack driver collection, and the 5kPlayer media player, all signed with a self-signed certificate.

The threat actor’s main malware has been updated with new methods of sending requests to the command and control (C&C) server, new persistence mechanism, and a new location for storing the dropped files.

Since late 2019, Bitdefender has observed numerous attacks focusing on victims in Istanbul and close to the Syrian border, which led to the assumption that the Kurdish community is being targeted. However, StrongPity has been observed targeting victims in the region before.

In one campaign, the observed samples all have creation timestamps after October 1, 2019, the date Turkey launched its offensive into northeastern Syria.

“While there is no direct forensic evidence suggesting that the StrongPity APT group operated in support of Turkish military operations, the victim’s profile coupled with the timestamps on the analyzed samples make for an interesting coincidence,” Bitdefender cybersecurity analyst Liviu Arsene points out.

During their investigation into the attacks, Bitdefender’s security researchers discovered that the adversary uses a 3-tiered C&C infrastructure, to remain undetected, and that victims are selectively targeted using pre-defined IP lists.

The list of identified trojanized applications leveraged in the observed attacks includes 7-zip, WinRAR, McAfee Security Scan Plus, Recuva, TeamViewer, WhatsApp, Piriform CCleaner, CleverFiles Disk Drill, DAEMON Tools Lite, Glary Utilities, and RAR Password Unlocker.

An analysis of the compilation time of the tampered installers revealed a 9 to 6 working schedule from Monday to Friday, in the UTC+2 time zone, which further enforces the assumption that the actor might be state-sponsored.

“The PROMETHIUM threat actor is dedicated and resilient. After first being documented, they changed their toolkit but not their techniques or procedures. Since then, their toolkit has been the same, with just enough updates to keep their activities as efficient as possible. During this period, the victimology has expanded behind their initial focus in Europe and Middle East to a global operation targeting organizations on most continents,” Talos notes.

Related: StrongPity Targets Victims with Malicious WinBox Installer

Related: Internet Provider Redirects Users in Turkey to Spyware: Report

view counter