New spyware StrongPity2 replaced FinFisher in a cyber espionage campaign with the possible participation of an Internet provider
Continuing the study of cyber espionage operations with obvious traces of participation in the scheme of a large Internet provider, we found that another FinFisher spyware software (FinSpy) was replaced by another program. The new Win32 / StrongPity2 spyware noticeably resembles a program attributed to the StrongPity cyber group. All ESET products, including the free ESET Online Scanner tool, detect and block the threat, and also eliminate StrongPity2 from the compromised system.
As we wrote in September, in two countries of the world, man-in-the-middle attacks were used to spread FinFisher, and in most cases the mentioned “man” with a fair degree of probability was at the level of an Internet provider. According to ESET telemetry, the campaigns were terminated on September 21, 2017, the day our report was published.
')
On October 8, in one of the two countries, an identical campaign was launched using the same (and rather unusual) NTTR redirection structure to redirect browsers on the fly, only now instead of FinFisher Win32 / StrongPity2 was distributed. We studied new spyware and found similarities to the program that the StrongPity group allegedly used in the past.
The first similarity is the attack scenario. A user who tries to download legitimate software is redirected to a fake website, from which a trojanized version of the necessary software is downloaded. Similar watering hole attacks performed by the StrongPity group were recorded in the summer of 2016, their target was mainly Italian and Belgian users of encryption programs.
During the study, we discovered infected Win32 / StrongPity2 versions of the following programs:
- CCleaner v 5.34
- Driver Booster
- Opera Browser
- Skype
- VLC Media Player v2.2.6 (32 bit)
- WinRAR 5.50
Since the beginning of the campaign, our telemetry systems have recorded more than one hundred attempts at attacks using Win32 / StrongPity2.
We also found other similarities between the StrongPity group spyware and the Win32 / StrongPity2 implementation:
- identical code fragments
- configuration file structures (rather unusual) have a noticeable similarity, as shown in Figure 1:
Figure 1. Sample configuration files: at the top of StrongPity, at the bottom of StrongPity2
- the same encryption algorithm is used in StrongPity and StrongPity2 (very unusual Byte ^ = ((Byte & 0xF0) >> 4)
- Both programs use the identical (old) version of libcurl 7.45
- both programs use the same method of exfiltration of files (the main payload produces the exfiltration of files previously collected and saved by a special module)
If we talk about data theft, there are several file types under the Win32 / StrongPity2 target:
- .ppt
- .pptx
- .xls
- .xlsx
- .txt
- .doc
- .docx
- .pdf
- .rtf
In search of these files, the program avoids the following folders:
-
-
-
-
-
-
In addition to exfiltration of data, Win32 / StrongPity2 can download and execute other malicious programs to choose from attackers with the privileges of a compromised account.
To check your system for Win32 / StrongPity2 infection, use the free ESET Online Scanner. Upon detecting Win32 / StrongPity2, the scanner will remove it.
The system can be checked manually. To do this, check the presence / absence of the
Another infection indicator that is easy to check is a registry string parameter located in
Figure 2. Registry entry used by malware
To manually clean the infected system, follow these steps:
For the prevention of infection, we recommend using integrated security solutions.
Hashes of the studied samples:
Domain used for downloading Trojan Win32 / StrongPity2 software:
URLs used to exfiltrate stolen data:
Folder created by Win32 / StrongPity2 to store its components:
As we wrote in September, in two countries of the world, man-in-the-middle attacks were used to spread FinFisher, and in most cases the mentioned “man” with a fair degree of probability was at the level of an Internet provider. According to ESET telemetry, the campaigns were terminated on September 21, 2017, the day our report was published.
')
On October 8, in one of the two countries, an identical campaign was launched using the same (and rather unusual) NTTR redirection structure to redirect browsers on the fly, only now instead of FinFisher Win32 / StrongPity2 was distributed. We studied new spyware and found similarities to the program that the StrongPity group allegedly used in the past.
The first similarity is the attack scenario. A user who tries to download legitimate software is redirected to a fake website, from which a trojanized version of the necessary software is downloaded. Similar watering hole attacks performed by the StrongPity group were recorded in the summer of 2016, their target was mainly Italian and Belgian users of encryption programs.
During the study, we discovered infected Win32 / StrongPity2 versions of the following programs:
- CCleaner v 5.34
- Driver Booster
- Opera Browser
- Skype
- VLC Media Player v2.2.6 (32 bit)
- WinRAR 5.50
Since the beginning of the campaign, our telemetry systems have recorded more than one hundred attempts at attacks using Win32 / StrongPity2.
We also found other similarities between the StrongPity group spyware and the Win32 / StrongPity2 implementation:
- identical code fragments
- configuration file structures (rather unusual) have a noticeable similarity, as shown in Figure 1:
Figure 1. Sample configuration files: at the top of StrongPity, at the bottom of StrongPity2
- the same encryption algorithm is used in StrongPity and StrongPity2 (very unusual Byte ^ = ((Byte & 0xF0) >> 4)
- Both programs use the identical (old) version of libcurl 7.45
- both programs use the same method of exfiltration of files (the main payload produces the exfiltration of files previously collected and saved by a special module)
If we talk about data theft, there are several file types under the Win32 / StrongPity2 target:
- .ppt
- .pptx
- .xls
- .xlsx
- .txt
- .doc
- .docx
- .rtf
In search of these files, the program avoids the following folders:
-
%Windows%-
%Windows.old%-
%AppData%-
%Program Files%-
%Program Files (x86)%-
%ProgramData%In addition to exfiltration of data, Win32 / StrongPity2 can download and execute other malicious programs to choose from attackers with the privileges of a compromised account.
Check for compromise, cleaning the system and prevention
To check your system for Win32 / StrongPity2 infection, use the free ESET Online Scanner. Upon detecting Win32 / StrongPity2, the scanner will remove it.
The system can be checked manually. To do this, check the presence / absence of the
%temp%\lang_be29c9f3-83we , which the malware creates to store its components, the main of which is the file wmpsvn32.exe .Another infection indicator that is easy to check is a registry string parameter located in
HKCU\Software\Microsoft\Windows\CurrentVersion\Run , called Help Manager with the value %temp% \lang_be29c9f3-83we\wmpsvn32.exe in the data field.Figure 2. Registry entry used by malware
To manually clean the infected system, follow these steps:
- Eliminate the main process component
wmpsvn32.exe - Delete the folder
%temp%\lang_be29c9f3-83weand all its contents - Delete the value of the
Help Managerin the mentioned registry entry
For the prevention of infection, we recommend using integrated security solutions.
Infection indicators
Hashes of the studied samples:
4ad3ecc01d3aa73b97f53e317e3441244cf60cbd
8b33b11991e1e94b7a1b03d6fb20541c012be0e3
49c2bcae30a537454ad0b9344b38a04a0465a0b5
e17b5e71d26b2518871c73e8b1459e85fb922814
76fc68607a608018277afa74ee09d5053623ff36
87a38a8c357f549b695541d603de30073035043d
9f2d9d2131eff6220abaf97e2acd1bbb5c66f4e0
f8009ef802a28c2e21bce76b31094ed4a16e70d6
a0437a2c8c50b8748ca3344c38bc80279779add7Domain used for downloading Trojan Win32 / StrongPity2 software:
hxxps://downloading.internetdownloading.coURLs used to exfiltrate stolen data:
hxxps://updserv-east-cdn3.com/s3s3sxhxTuDSrkBQb88wE99Q.php
hxxps://updserv-east-cdn3.com/kU2QLsNB6TzexJv5vGdunVXT.php
hxxps://updserv-east-cdn3.com/p55C3xhxTuD5rkBQbB8wE99Q.phpFolder created by Win32 / StrongPity2 to store its components:
%temp%\lang_be29c9f3-83we
Source: https://habr.com/ru/post/344496/
All Articles