AT&T’s Alien Labs experts recently discovered an ongoing campaign conducted by
The activity of the group was initially uncovered in 2016 when experts at Kaspersky observed the
The new campaign started in the second half of 2018, attackers used once again tainted version of popular software like WinRAR to compromise victims’ systems.
The new malware samples analyzed in July 2019 appear to have been
One of the samples employed by the hackers in the recent campaign is a malicious installer for the WinBox, which is the management console for MikroTik’s RouterOS software.
The installer implements all of the features of the legitimate software, but it installs the StrongPity malware on the
The malware operates similarly to previously reported variants, it implements spyware capabilities and allows the attacker to get remote access to the compromised machine. The malicious code communicate with the command and control (C&C) infrastructure over SSL.
“The malicious WinBox installer drops the StrongPity sample into the Windows Temporary directory as %temp%\DDF5-CC44CDB42E5\wintcsr.exe. Similar to previous reports of StrongPity, the malware communicates with the C2 server over SSL.” Alien Labs notes.
“Reviewing the compilation timestamps of the identified malware, various clusters of individual campaign start times can be noticed, stretching back into the previous reports of early 2018,”
The APT group used also newer versions of tainted WinRAR software, as well as a tool called Internet Download Manager (IDM).
Experts were not able to exactly determine the delivery mechanism of the tainted installers, however
The choice of using installers for software like WinRAR, WinBox, and IDM suggests that the StrongPity is continuing to target technically-oriented victims.
“Overall, the identified TTPs, newer versions of StrongPity, and the legitimate software used to deliver it operate in ways similar to how the adversary has historically operated.” concludes the report. “This is likely due to the high amounts of operational success for the adversary with minimal modification to evade detection following public reporting over the years.”
(SecurityAffairs – StrongPity, APT)