Promethium APT attacks surge, new Trojanized installers uncovered

The hacking group behind StrongPity is ignoring constant exposure by researchers in its quest for global intelligence and surveillance.

With access to 43,000 hacked servers for sale, MagBo is the go-to cybercrime market

Promethium, the threat group also known as StrongPity, has been tracked in a new wave of attacks deploying an expanded list of Trojanized installers that abuse the popularity of legitimate applications. 

Active since roughly 2002, the Promethium advanced persistent threat (APT) group has been exposed time and time again by security researchers and civil rights outfits for prolific surveillance and intelligence-gathering related to political targets. 

Typically, Promethium has focused on targets across Turkey and Syria, although the group has also dipped its toe into Italy and Belgium in the past. 

In new, separate reports, researchers from Cisco Talos and BitDefender (.PDF) have revealed not only new countries on the hit-list, but also an upgraded arsenal designed to compromise victim machines. 

Talos has tracked roughly 30 new command-and-control (C2) servers belonging to Promethium tied to an evolved form of the group's surveillance malware, StrongPity3, that is also believed to be linked to state-sponsorship. 

See also: PhantomLance spying campaign breaches Google Play security

To hide the spyware's activities, BitDefender says that the C2 network the team traced has three infrastructure layers, including the use of proxy servers, VPNs, and IP addresses that receive forwarded data. In total, the team mapped 47 servers with different functionalities.  

According to Talos, the target country list now includes Colombia, India, Canada, and Vietnam. BitDefender's report notes targets located near the border between Turkey and Syria, as well as Istanbul, which the team says "enforces the idea that this threat might be involved in the geopolitical conflict between Turkey and the Kurdish community."

In order to infect more victims, the APT has bolstered its toolkit via the use of new Trojanized setup files designed to deploy the StrongPity3 spyware. 

These include a Turkish language version of the Firefox browser, VPN PRO, DriverPack, and 5kPlayer malicious files, but there may be others. 

The Trojanized files will install the legitimate application on a compromised machine, alongside the malware, in a bid to avoid detection and to prevent triggering suspicion in the victim when their expected software does not materialize. 

CNET: Google collects a frightening amount of data about you. You can find and delete it now

While examining installers linked to the threat actors, BitDefender noted that the malware droppers have compile times that indicate normal work weeks and 9 - 6 schedules, which could suggest that the campaign involves paid developer teams. 

The main differences between StrongPity3 and the previous version, StrongPity2, are a switch from libcurl to winhttp when performing C2 requests and a persistence mechanism turned from a registry key into a service. The APT's latest attack patterns follow the surveillance trend, together with the exfiltration of any Microsoft Office files detected on a compromised machine. 

While the Talos team was unable to track the initial attack vector, the researchers say the files could land via a watering hole attack or in-path request interception -- with an ISP performing an HTTP redirect -- as described by CitizenLab in a 2018 report on Promethium's activities. 

CitizenLab's report documents the use of Sandvine/Procera Networks Deep Packet Inspection (DPI) devices to intercept traffic and deliver malware in Turkey and Syria, as well as to conduct malvertising and to covertly mine cryptocurrency across Egypt. 

TechRepublic: What is Gaia-X? A guide to Europe's cloud computing fight-back plan

"Promethium has been resilient over the years," Talos says. "Its campaigns have been exposed several times, but that was not enough to make the actors behind it to make them stop. The fact that the group does not refrain from launching new campaigns even after being exposed shows their resolve to accomplish their mission."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0