StrongPity / Promethium APT, also known as APT-C-41, has been in use since at least 2012. It first publicly reported in October 2016 that users in Belgium and Italy were previously attacked by cyber attacks and used watering hole attack technology to provide malicious versions of WinRAR and TrueCrypt file encryption software.
The organization mainly uses Truvasys, a first-stage malware that has been used in multiple attacks through Trojanized general-purpose computer utilities (including WinRAR, WinUtils, TrueCrypt or SanDisk). In each of its activities, Truvasys malware has an evolving function.
Researchers claim that StrongPity has the unique features of the APT unit, which uses zero-day vulnerabilities and sophisticated attack tools to invade victims for espionage. After the 2016 attack, threat actors expanded their TTP to include watering hole attacks and large-scale phishing email campaigns.
This is the timeline of the StrongPity APT group from 2016.
Figure 1. Timeline of StrongPity APT attack
In 2016, APT-C-41 mainly targeted countries such as Italy and Belgium. However, its victims are now all over Europe, North Africa, Canada and Asia. The StrongPity APT team focuses on finding and leaking data from infected computers. The organization operates a series of fake websites that pretend to provide a series of software tools. These utilities provide Trojan horse versions of legitimate applications.
While tracking the activities of the StrongPity APT team, we found that its goal is to pass the Trojanized Partition Find and Mount software utilities and an updated C&C infrastructure. In this blog, we focused on the technical details of the team’s latest cyber attack.
The following figure shows the high-level process of StrongPity malware installation.
Figure 2: High-level execution flow chart
The high-level execution process of StrongPity infection is as follows:
· First, APT actors use watering hole attacks or phishing emails to provide victims with Trojanized Partition Find and Mount software utilities.
· The Trojan horse program installer puts multiple malware components and configuration files together in the %temp%\ndaData folder.
· The Launcher component is responsible for executing the Exfiltrate module, which runs another File searcher component.
· The file searcher component enumerates system drives and finds target files with specific extensions. The extended list is embedded in the StrongPity payload.
· If the file is found on the victim’s computer, it is copied to a temporary zip archive. After adding the file to the archive, it will be split into hidden .sft encrypted files.
· These hidden .sft files are sent to the C&C server via POST request, and then deleted from the disk according to other C&C commands. The Exfiltrate module has a command to delete .sft files after sending them to the hacker C&C server.
After executing the Trojan installer, it will extract and delete the encrypted payload, which is part of its resource section.
Extract and drag and drop StrongPity payloads such as launcher and persistence components, penetration and command execution modules, and file searcher components into the %temp%\ndaData folder. The following figure shows the decryption routine in the process memory and the decrypted payload.
The malware payload creates a mutex named “thUseiGpkMkPkFYrIOvKN” to mark its presence in the victim’s system.
The Exfiltrate component has a hard-coded C&C URL, which is decoded in memory as shown in the debugger image below. As can be seen from the early variants, Parse_ini_file.php is used as part of the layer 1 communication and is the function of getting commands from the C&C server.
The network capture depicts multiple connection requests to the attacker’s layer 1 C&C server (uppertrainingtool [.] com).
469c0460e4c1fefd01db4ae9f79c53c7 65689075a82a08bb797bb9a5cc2932c9 81390ce601d34f384bff9198eef793a9 8c24dd49d037121212985c722e1c7d03 A969a009d0927b1b4d9f8bb3c1ca49be C81dcdd13572c151b6e04aa4d8a6dd43 975e5ac0f82b26eb4df8c718207c61dd8afee9ff A13b3baeedc3456bf8a03e6f7fd43b8ccfabc7e2 6067bb07169464ca2261fb7b9f3a50868a8d412f 6080cf16925c33fb0edbeeaf2a549a3749d99c9b C510eb966accc688605662dbfd90caac94907583 682222409a0e4584ea772164e2fcc3dbdce07867 D9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78 803b09f5863b583114d4db7d19ac0c5f64163c0075992bcfc289d27feea3a3ab 1185998fd595936708c1fc5a3ddeadbdd46b88e216419597da0b461e136ddfa7 9b499b3945d8f979fdbb46342e1fd3dd5b2b5aa4322e9447df13598817c670e1 8844d234d9e18e29f01ff8f64db70274c02953276a2cd1a1a05d07e7e1feb55c B9f9fb303bc605410bc1a7095da6f77d5880a1a233f849375c1aa652f9d52e1a uppertrainingtool[.]com updserv-east-cdn3[.]com hybirdcloudreportingsoftware[.]com transferprotocolpolicy[.]com