StrongPity APT Changes Tactics to Stay Stealthy

The APT group behind the sophisticated malware known as StrongPity (a.k.a. Promethium) has changed its tactics, after various research groups analyzed the malware and exposed its methods of deployment. The efforts have allowed the group to return to hidden status, even after being labeled a known quantity, according to researchers.

A fresh analysis reveals that the StrongPity group made only minor adjustments, requiring minimal effort and code changes – but that these have been enough to be effective in keeping their infrastructure out of the limelight. Now researchers say they have observed new domains and new IP addresses, plus filename changes and small encryption enhancements.

“Often, when researchers identify and unveil the work of threat groups, the malicious activity exposed disappears from view, and the researchers move on,” Cylance researchers explained in a report released Tuesday. “The trouble is, the more advanced threat actors often do not. And with more people looking ahead rather than behind, attackers are free to restructure old attacks and resume them.”

Kaspersky Lab researchers first shed light on StrongPity in a report from 2016. Researchers there described the actor as a characteristic APT outfit using its share of zero-days vulnerabilities and modular attack tools to infiltrate victims and conduct espionage. It was also seen using watering-hole attacks to steer its targets toward sites hosting malware-laced versions of WinRAR and TrueCrypt, two free encryption utilities long popular with security and privacy conscious users.

That was followed by more research in 2016 from Microsoft, which called the malware Promethium, showing the group targeting individuals in Europe with zero-day vulnerabilities. Then in 2017, ESET researchers identified a Promethium/StrongPity variant being used at the ISP level in two unnamed countries, signaling a change in approach.

This year in March, researchers at Citizen Lab said that they had uncovered the APT attacking at an ISP level, by abusing Sandvine/Procera deep packet inspection (DPI) hardware in Türk Telekom’s network. DPI boxes are typically used by ISPs to help manage traffic loads on their networks and enable policy-based, application-aware bandwidth management; the idea is to ensure that consumers don’t feel internet slowdowns during periods of heavy traffic.

However, Citizen Lab said that it saw the threat group compromising these legitimate DPI boxes to insert the StrongPity malware into otherwise benign traffic, targeting regions in Turkey.

“The middleboxes were being used to redirect hundreds of users in Turkey and Syria to nation-state spyware when those users attempted to download certain legitimate Windows applications,” Citizen Lab said at the time.

Sandvine denied the intimation that this was being done with the complicity of the ISP itself, but regardless of attribution, the report had an effect on the StrongPity gang: Just two weeks after it was published, Cylance observed new Promethium/StrongPity activity with altered tactics, utilizing new infrastructure.

“The malware has continued to adapt as new information is published,” researchers explained. “Defenders and those they serve would do well to think historically and look back more frequently to inspect the ‘living memory’ of threat actor behavior and campaigns in both the target organization’s history as well as that of the larger threat intelligence community.”

Small Changes, Big Payoff

The recent changes by the group include the use of several new filenames and paths by its latest round of droppers.

“The ‘netplvliz.exe’ binary is installed as a service with the display name, ‘Advanced User Accounts Control,’ to maintain persistence on affected systems,” Cylance explained. “Its primary role is to launch the ‘IpeOve32.exe,’ binary which performs the bulk of the malicious actions.”

The new droppers also use a new PowerShell command that attempts to alter the default behavior of Windows Defender on Windows 10 systems. It does this “by excluding the system and temp directories as well as turning off sample submission and disabling behavior monitoring,” the firm noted.

Meanwhile, in the StrongPity backdoor itself, the encoding methods used for string obfuscation have been switched up, and the group abandoned previously used configuration files that ESET had documented in 2017.

“In late March of 2018, the threat actors behind Promethium just pushed sensitive strings like C2 domains onto the stack in unicode,” Cylance said. “In May, their method of attack evolved to push encoded unicode strings onto the stack, then XOR those values against a single byte key and subtract one from that value. Both domain names for the malware are stored in this way.”

The APT as a result of this evolution has not had any large or notable attacks being uncovered for the last few months, Cylance noted.

“The group or groups behind Promethium/StrongPity will likely continue to adapt to security publications about them,” the research team said. “It’s clear they have significant resources at their disposal and will continue to evolve as necessary.”