U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

Experts detailed new StrongPity cyberespionage campaigns

Experts at AT&T’s Alien Labs recently discovered an ongoing campaign conducted by StrongPity threat actor that abuses malicious WinBox installers to infect victims. AT&T’s Alien Labs experts recently discovered an ongoing campaign conducted by StrongPity APT group that abuses malicious WinBox installers to infect victims. The activity of the group was initially uncovered in 2016 […]

winbox GUI StrongPity 2

Experts at AT&T’s Alien Labs recently discovered an ongoing campaign conducted by StrongPity threat actor that abuses malicious WinBox installers to infect victims.

AT&T’s Alien Labs experts recently discovered an ongoing campaign conducted by StrongPity APT group that abuses malicious WinBox installers to infect victims.

The activity of the group was initially uncovered in 2016 when experts at Kaspersky observed the cyberespionage group targeting users in Europe, in the Middle East, and in Northern Africa. The group set up malicious sites mimicking legitimate ones to carry out watering holes to deliver tainted installers and malware.

The new campaign started in the second half of 2018, attackers used once again tainted version of popular software like WinRAR to compromise victims’ systems.

“Alien Labs has identified an unreported and ongoing malware campaign, which we attribute with high confidence to the adversary publicly reported as “StrongPity”. Based on compilation times, infrastructure, and public distribution of samples – we assess the campaign operated from the second half of 2018 into today (July 2019).” reads the analysis published by the researchers. “We have also identified StrongPity deploying malicious versions of the WinBox router management software, WinRAR, and other trusted software to compromise targets.”

The new malware samples analyzed in July 2019 appear to have been rebuild by the group in response to public reporting on the group’s activities. The analysis of compilation times, infrastructure build and use, and public distribution of samples allowed the experts to attribute the activity to StrongPity group.

One of the samples employed by the hackers in the recent campaign is a malicious installer for the WinBox, which is the management console for MikroTik’s RouterOS software.

The installer implements all of the features of the legitimate software, but it installs the StrongPity malware on the target’s machine.

winbox GUI StrongPity 2

The malware operates similarly to previously reported variants, it implements spyware capabilities and allows the attacker to get remote access to the compromised machine. The malicious code communicate with the command and control (C&C) infrastructure over SSL.

“The malicious WinBox installer drops the StrongPity sample into the Windows Temporary directory as %temp%\DDF5-CC44CDB42E5\wintcsr.exe. Similar to previous reports of StrongPity, the malware communicates with the C2 server over SSL.” Alien Labs notes.

“Reviewing the compilation timestamps of the identified malware, various clusters of individual campaign start times can be noticed, stretching back into the previous reports of early 2018,”

The APT group used also newer versions of tainted WinRAR software, as well as a tool called Internet Download Manager (IDM).

Experts were not able to exactly determine the delivery mechanism of the tainted installers, however, it is likely that methods used in past campaigns such as regional download redirecting from ISPs are still used.

The choice of using installers for software like WinRAR, WinBox, and IDM suggests that the StrongPity is continuing to target technically-oriented victims.

“Overall, the identified TTPs, newer versions of StrongPity, and the legitimate software used to deliver it operate in ways similar to how the adversary has historically operated.” concludes the report. “This is likely due to the high amounts of operational success for the adversary with minimal modification to evade detection following public reporting over the years.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – StrongPity, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]