Rather than expend resources on creating fancy new tools, malicious hackers often do the bare minimum needed to breach their targets. That means that when researchers expose their malware, the groups tend to only slightly modify their code to keep it effective.
The latest activity from an advanced persistent threat known as StrongPity is a prime example. After having its actions called out last year, StrongPity has come up with new malware samples it is using in a months-long, ongoing campaign against users in Turkey, according to research published Wednesday by AT&T Alien Labs.
Although the code has been altered, the general attack method remains the same: go after users who download router management software to infect target organizations, and use the popular file archiver WinRAR for delivery. The spyware delivered to the organizations, which is also called StrongPity, hunts for documents on an infected network and lingers on, retaining remote access for its operators, Tom Hegel, a security researcher at AT&T Alien Labs, wrote in a blog post.
The rap sheet on StrongPity includes watering hole attacks on users in Belgium and Italy in 2016, and the infection of a Turkish telecommunications company to target hundreds of users in Turkey and Syria in 2018. Microsoft, which calls the group Promethium, says the hackers have been active since at least 2012.
Kurt Baumgartner, principal security researcher at Kaspersky, described StrongPity as a “mid-tier” APT group that has made incremental changes to its activity over the years.
“Their slow and steady malware enhancements next to curiously strong deployment methods demonstrate an outsourced reliance on external technologies to expand their capabilities,” Baumgartner told CyberScoop. “Their targeting appeared to be regional and fairly consistent over time, and we expect to see more of their activity for years to come.”
Hegel told CyberScoop the newly exposed campaign has successfully compromised at least some targets and that, based on the location of the victims and use of the spyware, the adversary could be selling its tools to multiple government organizations. That would be in keeping with the proliferation of other spyware kits like FinFisher and Pegasus.
Likely because it has proved successful in other hacking operations in recent years, StrongPity has stuck with its guns in using legitimate software to infect its targets, Hagel wrote. For example, the group has used a malicious installer for WinBox, a program for administrating a router operating system, without leaving obvious signs of compromise to a victim.
“[Strong Pity is] basically changing as little as possible,” Hegel told CyberScoop. “I expect them to do the same in response to our blog.”