StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure

Overview

StrongPity, also known as Promethium, is a threat group that is assumed to have been active since at least 2012. Information about this actor was first publicly reported in October 2016 with details on attacks against users in Belgium and Italy.

Later, in 2018, the attackers shifted their focus on another geographical region, compromising Turkish telecommunication companies to target hundreds of users in Turkey and Syria.

It is believed that the attacks attributed to StrongPity are government-sponsored and are used for population surveillance and intelligence exfiltration. More so, it is believed that these attacks are used as support for the geo-political conflicts in the region.

The known preferred infection vector used by the StrongPity group is a watering hole technique, delivering malicious versions of legitimate installers to certain targets.

By closely monitoring this threat, Bitdefender has managed to investigate it from several angles. Besides the technical setups of command and control servers, our researchers managed to get an insight into the victims’ profile.

Most of the targets are located in two regions in Turkey: in Istanbul and the area close to the Syrian border.

The data we have gathered in the investigation into this threat actor suggests that the attacker is interested especially in the Kurdish community, placing this threat in the geo-political context of the constant conflicts between Turkey and the Kurdish community.

Key Findings:

• Watering hole tactic that selectively targets victims in Turkey and Syria using pre-defined IP list
• 3-tiered C&C infrastructure for covering tracks and thwarting forensic investigation
• Use of fully-working Trojanized popular tools, compiled during working hours

Infrastructure

During the time we closely monitored this threat actor and investigated different points from their infrastructure, we were able to distinguish two types of servers, used to fulfill two main roles:

• Servers that will serve the poisoned installer used in the initial compromise (referred from this point on as Download Servers)
• Servers used for exfiltrating information and for interacting with the victim through commands (referred from this point on as Command and Control Servers)