StrongPity APT – Waterhole attacks against Italian and Belgian users

Pierluigi Paganini October 11, 2016

Kaspersky published a report on cyber espionage activities conducted by StrongPity APT that most targeted Italians and Belgians with watering holes attacks.

Experts from Kaspersky Lab have published a detailed report on the cyber espionage activities conducted by the StrongPity APT. The group is very sophisticated, its operations leverage on watering holes attacks and malware to target users of software designed for encrypting data and communications.

The StrongPity APT targeted users Europe, the Middle East, and Northern Africa.

StrongPity set up the website ralrab.com aiming to mimic the legitimate rarlab.com website, the website was used as a landing domain to deliver poisoned installers of popular software. The group used to compromise the sites of certified distributors from Europe in an effort to redirect users to ralrab.com that was hosting the trojanized version of the legitimate application.

StrongPity group set up a rogue TrueCrypt website hosted at true-crypt.com, it was used to redirect users from software downloads website Tamindir. Kaspersky reported that StrongPity started setting up TrueCrypt-themed watering hole attacks in late 2015, but the experts of the company noticed a peak in the number of attacks this summer. The majority of the users that were victims of this attack were located in Turkey and some in the Netherlands.

Italian visitors of the legitimate distributor website winrar.it were redirected to trojanized WinRAR installers hosted from the winrar.it website itself.

“Over the course of a little over a week, malware delivered from winrar.it appeared on over 600 systems throughout Europe and Northern Africa/Middle East. Likely, many more infections actually occurred. Accordingly, the country with the overwhelming number of detections was in Italy followed by Belgium and Algeria. The top countries with StrongPity malware from the winrar.it site from May 25th through the first few days of June are Italy, Belgium, Algeria, Cote D’Ivoire, Morroco, France, and Tunisia.” states the report.

winrar it StrongPity component geolocation distribution

winrar[.]it StrongPity component geolocation distribution

In the arsenal of the StrongPity APT there are multiple components that allow attackers to gain complete control of the target system and effectively exfiltrate data from the machine. According to Kaspersky, the droppers used by the group were often signed with unusual digital certificates.

“Because we are talking about StrongPity watering holes, let’s take a quick look at what is being delivered by the group from these sites.” continues the report reporting more than systems infected with a StrongPity malware.

“When we count all systems from 2016 infected with any one of the StrongPity components or a dropper, we see a more expansive picture. This data includes over 1,000 systems infected with a StrongPity component. The top five countries include Italy, Turkey, Belgium, Algeria, and France.”

The group used a component that looks for encryption-supported software suites, including the SSH and telnet client Putty, the FTP tool FileZilla, remote connections manager mRemoteNG, Microsoft’s Mstsc remote desktop client, and the SFTP and FTP client WinSCP.

“When visiting sites and downloading encryption-enabled software, it has become necessary to verify the validity of the distribution site and the integrity of the downloaded file itself. Download sites not using PGP or strong digital code signing certificates need to re-examine the necessity of doing so for their own customers,” states the report.

According to Kurt Baumgartner, principal security researcher at Kaspersky Lab, the TTPs observed for the StrongPity APT are similar to the ones of another Russian threat actor known as Energetic BearCrouching Yeti /Dragonfly).

In 2014, Kaspersky published an interesting analysis on the Crouching Yeti group that used a large network of hacked websites (219 domains) as command and control infrastructure. The vast majority of these websites were legitimate and were used to serve malware and instruct bot agents worldwide to collect information on target systems. Most of the 2,800 companies identified as victims of the attack were in the industrial/machinery market and hacker most-targeted countries like the United States, Spain, Japan, and Germany.

”They ran vulnerable content management systems or vulnerable web applications. None of the exploits used to compromise the servers were known to be zero-day. None of the client side exploits re-used from the open source metasploit framework were zero-day.” reports the report published by Kaspersky Lab.

Energetic Bear APT campaign Kaspersky

The attackers used the following attack scheme to infect victims:

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

Security Affairs –  (StrongPity APT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment