cyber attack

StrongPity Extends Global Reach with New Infrastructure

StrongPity / APT, also known as APT-C-41, has been in use since at least 2012. It first publicly reported in October 2016 that users in Belgium and Italy were previously attacked by cyber attacks and used watering hole attack technology to provide malicious versions of WinRAR and TrueCrypt file encryption software.

The organization mainly uses Truvasys, a first-stage malware that has been used in multiple attacks through Trojanized general-purpose computer utilities (including WinRAR, WinUtils, TrueCrypt or SanDisk). In each of its activities, Truvasys malware has an evolving function.

Researchers claim that StrongPity has the unique features of the APT unit, which uses zero-day vulnerabilities and sophisticated attack to invade victims for espionage. After the 2016 attack, threat actors expanded their TTP to include watering hole attacks and large-scale phishing email campaigns.

This is the timeline of the StrongPity APT group from 2016.


Figure 1. Timeline of StrongPity APT attack

In 2016, mainly targeted countries such as Italy and Belgium. However, its victims are now all over Europe, North Africa, Canada and Asia. The StrongPity APT team focuses on finding and leaking data from infected computers. The organization operates a series of fake websites that pretend to provide a series of software tools. These utilities provide Trojan horse versions of legitimate applications.

While tracking the activities of the StrongPity APT team, we found that its goal is to pass the Trojanized Partition Find and Mount software utilities and an updated C&C infrastructure. In this blog, we focused on the technical details of the team’s latest cyber attack.

The following figure shows the high-level process of StrongPity malware installation.


Figure 2: High-level execution flow chart

The high-level execution process of StrongPity infection is as follows:

· First, APT actors use watering hole attacks or phishing emails to provide victims with Trojanized Partition Find and Mount software utilities.

· The Trojan horse program installer puts multiple malware components and configuration files together in the %temp%\ndaData folder.

· The Launcher component is responsible for executing the Exfiltrate module, which runs another File searcher component.

· The file searcher component enumerates system drives and finds target files with specific extensions. The extended list is embedded in the StrongPity payload.

· If the file is found on the victim’s computer, it is copied to a temporary zip archive. After adding the file to the archive, it will be split into hidden .sft encrypted files.

· These hidden .sft files are sent to the C&C server via POST request, and then deleted from the disk according to other C&C commands. The Exfiltrate module has a command to delete .sft files after sending them to the hacker C&C server.

After executing the Trojan installer, it will extract and delete the encrypted payload, which is part of its resource section.

Extract and drag and drop StrongPity payloads such as launcher and persistence components, penetration and command execution modules, and file searcher components into the %temp%\ndaData folder. The following figure shows the decryption routine in the process memory and the decrypted payload.

The malware payload creates a mutex named “thUseiGpkMkPkFYrIOvKN” to mark its presence in the victim’s system.

The Exfiltrate component has a hard-coded C&C URL, which is decoded in memory as shown in the debugger image below. As can be seen from the early variants, Parse_ini_file.php is used as part of the layer 1 communication and is the function of getting commands from the C&C server.

The network capture depicts multiple connection requests to the attacker’s layer 1 C&C server (uppertrainingtool [.] com).