This is how government spyware StrongPity uses security researchers' work against them

While researchers are looking forward, hackers are going back to their roots to create new attacks from the ashes of old ones.
Written by Charlie Osborne, Contributing Writer

While researchers are looking forward, hackers are going back to their roots to create new attacks from the ashes of old ones -- with a few modern, minor tweaks.

The cybersecurity arena is in constant flux with an ongoing battle taking place between security vendors and researchers, threat actors, and state-sponsored groups.

Security advisories and vulnerability disclosures are valuable to vendors, IT staff, and cybersecurity teams alike.

Forewarned is forearmed, and keeping up-to-date on the latest threats and attacks taking place -- such as in the case of the ongoing Magecart campaign -- can give organizations the opportunity to review their security infrastructures and remedy problems, outdated software, or bugs, as necessary.

Advisories also give cybersecurity professionals worldwide the opportunity to connect the dots when it comes to modern threat groups or the resurgence of old threats.

However, it is not just white hats which find such advisories and security bulletins of interest.

According to threat prevention firm Cylance, "as defenders race ahead to identify the next and newest methods of attack, attackers often lag behind and reuse the old and obvious ones with success."

See also: Bizarre botnet infects your PC to scrub away cryptocurrency mining malware

Attacks are uncovered, the technical details of how, when, and what is exposed. However, as researchers move on to the next campaign, some threat actors will restructure old attacks and resume them.

One such threat actor, behind the Promethium/StrongPity malware and believed to be law enforcement-based or state-funded, employs this tactic.

Back in March, Citizen Lab published a report detailing the use of Sandvine/Procera Deep Packet Inspection (DPI) hardware being abused to perform Man-in-The-Middle (MiTM) attacks on Internet traffic in order to deploy StrongPity malware payloads via browser redirection.

Victims in Turkey -- and indirectly, Syria -- were targeted via their ISP. When users attempted to download legitimate programs such as Avast Antivirus, 7-Zip, or CCleaner, they would silently be redirected to malicious versions which contained spyware bundles.

"Before switching to the StrongPity spyware, the operators of the Turkey injection used the FinFisher "lawful intercept" spyware, which FinFisher asserts is sold only to government entities," the report says.

How to discover and destroy spyware on your smartphone (in pictures)

TechRepublic: Why we need more cybersecurity workers right now

The report drew on prior research from Kaspersky Lab, Microsoft, and ESET. Almost immediately after the publication of bulletins, however, the threat actor changed tactics.

StrongPity began using a new infrastructure which relied on domains registered several weeks after Citizen Lab's research was published. In addition, small code changes such as file name changes, code obfuscation, and new IP addresses were all implemented.

Cylance says the malware continues to adapt as more information is published.

"We believe the malware is likely part of yet another commercial (grayware) solution sold to governments and law enforcement agencies, and we have reason to believe it bears a strong connection to a company based in Italy -- a lead we hope to investigate in the near future," the company says.

Microsoft's research on the malware in 2016 also resulted in the inclusion of new code intended to disable Windows Defender on the Windows 10 operating system. The new feature attempts to turn off sample submission and disable behavior monitoring in order to hide the presence of a PowerShell dropper.

CNET: Google warns politicians to protect their personal accounts, too

Cylance says this malware behavior is relatively unique, and "was done in response to Microsoft's earlier research and an attempt to keep malicious samples out of the hands of researchers."

ESET researchers documented the replacement of FinFisher with StrongPity in 2017, noting that the cyberattackers behind the malware pushed sensitive strings like command-and-control (C2) domains onto the stack in Unicode. Now, strings are pushed into Unicode and encoded.

The recent examination of the malware's activities has shown that StrongPity is still utilizing similar infection tactics and is redirecting users away from legitimate software downloads.

However, the malware is now also being employed against VLC Player, Internet Download Manager, WinRAR 5.50, and DAEMON Tools Lite.

Cylance says that as more security bulletins and reports are published on the malware's activities, the threat actor behind StrongPity will continue to adapt as they have 'significant resources" at their disposal, and it may only take minor adjustments to revitalize old attacks.

"Defenders and those they serve would do well to think historically and look back more frequently to inspect the "living memory" of threat actor behavior and campaigns in both the target organization's history as well as that of the larger threat intelligence community," Cylance says. "In this way, defenders can remain attentive to potential threats from behind that they would otherwise have considered "old news" -- threats that were done and dealt with by the security community, but which may not be done dealing with their targets."

Best gifts: Top tech gadgets and tools for the remote worker

Previous and related coverage

Editorial standards