Security researchers have detected that an ongoing attack is being carried out by a hacking group called StrongPity using spyware files. The findings shows that this particular campaign appears to be focused against Kurdish targets which are present in these countries.
Turkey and Syria Hosts Targeted By Experienced StrongPity Hackers Using Modified Spyware
The spyware which is used as the infiltration tool is a modified version of previously detected malware. They now include newer functionality and code chanes reflecting the fact that the criminals are experienced.
The hackers have focused on preselecting their targets so that they represent computers and networks tht are owned and used by Kurds. This clearly shows that this campaign is politically-motivated. The timestamps that are integrated in the captured files indicate that they coincide with October 1 2019. This can refer to two things — the compilation date of the tools or the beginning of Opertion Peace Spring — the Turkish military actions in Syria which used this code name. All of this shows that it may be possible that the campaign may be even state-sponsored.
The infections are done by preselecting the target servers and then launchinig a dangerous Trojan virus against them. The modified versions of the Trojans will be delivered through an attack called watering hole. They are carried out by selecting commonly visited websites which will be hacked and redirected to a hacker-controlled landing page. This will trigger the downloading of an application bundle or direct executable files. These files are digitally signed with self-signed certificates that will appear as a legitimate software. Encryption keys are also added in order to hide the droppers from ordinary security scans. Example infected software bundles include examples such as the following:
- Archive Programs — 7-Zip and WinRAR
- Security Software — McAfee Security Scan Plus
- File Recovery Applications — Recuva
- Remote Connection Applications — TeamViewer
- Chat Applications — WhatsApp
- System Utilities — Piriform CCleaner, CleverFiles, Disk Drill, DAEMON Tools Lite, Glary Utilities and RAR Password Unlocker
When the droppers are executed the malicious code will start and interact with the hacker-controlled servers by retrieving the second stage of the spyware tools from them.
StrongPity Hackers Include Advanced Capabilities in the Spyware
When the victims have engaged the relevant spyware files this will lead to the deployment of 4 files: the legitimate software setup file, launcher and its relevant persistent installation component, the data hijacking component and a file searcher.
The Trojan will first load the actual legitimate software installation so that the victim users would not suspect any potentially dangerous actions. However in the meantime the virus code will be started in the background. The malware components are delivered in encrypted form and are extracted when they need to be accessed in sections which will protect them from any potential security scans.
The launcher component of the spyware will be delivered to the SYSTEM folder from here it will start a service of its own. The collected samples show that the malware will impersonate a running operating system service such as Print Spooler or Registry Maintenance Server. A related action is the installation of the threat in a persistent state. This means that the virus code and all related components will be automatically launched when the computer is powered on.
The data collection module will run alongside the file searcher component in order to find files that may be deemed sensitive by the hackers. This includes both personal user information and machine data which will be sent to the criminals using a network connection.
Given these capabilities it is very possible that the code can be modified to include other functionality such as the following:
- Additional Malware Installation — During the infiltration process the spyware tools can be programmed to deliver and install malware code across all major virus categories. This can include fully capable Trojans that are designed to overtake control of the victim machines and steal sensitive data contained within them. Web threats often carry cryptocurrency miners as well – they will download and run a sequence of complex performance-intensive tasks. They will take advantage of the most important hardware components: CPU, Memory, Graphics, Hard Disk Space, GPU and network speed. For every reported completed and reported task the hackers will receive cryptocurrency as a reward. Another possible malware that can be installed would be a ransomware virus — they will process user data according to a built-in list of target file type extensions. They will encrypted which will make the inaccessible. They will then be extorted to pay a decryption fee.
- System Changes — The criminals can also implement advanced system manipulation including the modification of configuration files and Windows Registry changes. This can make it impossible to start certain services and may also lead to unexpected errors and wider system issues.
- Botnet Recruitment — In some cases the contaminated hosts can be recruited to a worldwide network of connected computers. Their collective power can be harnessed for large-scale attacks that can be concentrated on a single target computer. The most common type of attack is the distributed denial-of-service campaigns that will take down the target sites.
Such targeted campaigns are expected to continue as advanced hacking groups are politically motivated and use preliminary research into the intended victim networks.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: