The spy malware is being delivered via a complex infrastructure with multiple layers, in an effort to avoid analysis.
The APT group known as StrongPity is back with a new watering-hole campaign, targeting mainly Kurdish victims in Turkey and Syria. The malware served offers operators the ability to search for and exfiltrate any file or document from a victim’s machine.
The group (a.k.a. Promethium) is operating a series of bogus websites purporting to offer a range of popular software utilities. The tools on offer are trojanized versions of archivers, file-recovery applications, remote-connection applications, security software and more. These include 7-zip, WinRAR archiver, McAfee Security Scan Plus, Recuva, TeamViewer, WhatsApp, Piriform CCleaner, CleverFiles Disk Drill, DAEMON Tools Lite, Glary Utilities and RAR Password Unlocker.
The sheer variety of the trojanized applications on offer in the latest campaign is a method aimed at casting a wide net in terms of victims’ interests, according to researchers at Bitdefender in a report released Tuesday. That’s not to say however that the attacks are devoid of targeting.
The effort selectively targets victims using pre-defined IP list, researchers said; if the victim’s IP address matches one found in the installer’s configuration file, the attackers can deliver a tainted version of the trojanized application. Otherwise, they deliver a legitimate version. The IPs on the list appear to correspond to Kurdish targets, according to the research.
labs.bitdefender.com
