Two APTs Used Same Zero-Day to Target Individuals in Europe

Researchers at Microsoft have observed two separate advanced persistent threat (APT) actors that leveraged the same Flash Player zero-day vulnerability to spy on Turkish citizens living in Turkey and various other European countries.

Dubbed by Microsoft PROMETHIUM and NEODYMIUM – the company assigns chemical element names to threat actors – the groups used different infrastructure and malware, but there are some similarities that indicate a possible connection at a higher organizational level.

The attacks, spotted in early May, leveraged a Flash Player exploit (CVE-2016-4117) that Adobe patched on May 12. The groups used the same exploit at the same time, before it was publicly disclosed, and against the same type of targets.

The group tracked as PROMETHIUM has been active since at least 2012. In the attacks observed by Microsoft, the actor sent out links via instant messaging applications. The links pointed to documents set up to exploit CVE-2016-4117 in an effort to deliver a piece of malware dubbed Truvasys.

Truvasys has been mainly observed in western European countries, but it has been configured to target devices with Turkish locale settings (i.e. parameters that define the user’s language and region). This indicates that the attackers were particularly interested in Turkish citizens living in Turkey and western European countries.

In some cases, the attackers also delivered a piece of malware named Myntor, but Microsoft has not been able to determine the criteria for pushing this second threat onto a victim’s computer.

PROMETHIUM’s activities have also been analyzed by Kaspersky Lab, which named the group and its malware StrongPity. In the attacks observed by the security firm, the actor used watering holes and poisoned application installers to deliver their malware. Kaspersky noted in its analysis that StrongPity’s techniques were similar to the ones of Russia-linked threat actor Crouching Yeti (aka Energetic Bear and Dragonfly).

NEODYMIUM also leveraged the same CVE-2016-4117 exploit in early May, before its existence was disclosed. The attackers used spear-phishing emails carrying malicious documents to deliver their malware.

This group has used a backdoor, dubbed by Microsoft Wingbird, that is very similar to the notorious government-grade commercial spyware FinFisher. Researchers believe Wingbird is a relatively new version of FinFisher.

“The publisher, FinFisher GmbH, claims that it sells the software exclusively to government agencies for use in targeted and lawful criminal investigations,” Microsoft said. “The apparent use of a version of FinFisher suggests that the exploit and the spear phishing campaign that delivered it were the work of an attack group probably connected in some way to a state actor.”

More than 80 percent of NEODYMIUM victims spotted by Microsoft were located in Turkey, but infections were also detected in the U.S., Germany and the U.K. The company pointed out that Wingbird has only been used to target individuals, not devices that are part of an organization’s network.

Additional details on PROMETHIUM and NEODYMIUM, including indicators of compromise (IoC), are available in Microsoft’s latest Security Intelligence Report.

Related: Pawn Storm Group Targets Turkey

Related: Turkey to Probe Massive ‘Personal Data Leak’