CyberWire Daily - Waiting for their victims. [Research Saturday]
Episode Date: August 15, 2020Bitdefender researchers have recently found the APT group StrongPity has been targeting victims in Turkey and Syria. Using watering hole tactics to selectively infect victims and deploying a three-tie...r C&C infrastructure to thwart forensic investigations, the APT group leveraged Trojanized popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking. Joining us on this week's Research Saturday to discuss the research is Bitdefender's Liviu Arsene. You can find the research here: StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at
zscaler.com slash security. Most of this information, you know, it's too much to handle,
you know, for an average user or for the regular security researcher.
That's Liviu Arsene. He's a global cybersecurity researcher with Bitdefender.
The research we're discussing today is titled Strong Pity APT, Revealing Trojanized Tools, Working Hours and Infrastructure.
working hours, and infrastructure.
That's why we have some sort of automated systems that flag potentially interesting samples,
potentially interesting malware.
And that's when, you know, somebody goes in and manually digs through the sample to see if it's something interesting and worthwhile.
Well, let's go through it together.
So this APT group, Strong Pity, they come to your attention.
Take us through what you discovered. Right. So basically, we found a campaign, apparently, that they seem to have been operating
since last year. I think it all started with October 1st, 2019. At least that's our best guess.
But it seems to have been targeting the Kurdish community.
So basically, it seems to have been targeting victims either at the border with Syria or in Turkey's capital city.
So whoever was behind this in terms of, I mean, we assume that this APT group might have potentially been state-sponsored with some sort of political
motivation because the timestamps on the samples that we found seem to coincide with the same date
when the Operation Peace Spring began. So basically that was the day when Turkish military
offensive began into northern Syria. That is kind of like the only, if you will, circumstantial evidence
that we have right now to tie the campaign with this military operation. I see. Well,
take us through exactly what was going on here. What were they up to?
So judging by the way they set up the infrastructure and by the way they compromised
victims, it seems that they were selectively targeting victims.
So they basically used an attack technique
that we called watering hole.
It's basically the type of tactic that involves
your victim coming to you instead of you going after your victim.
So if traditionally attackers would try to exploit a vulnerability in your browser, get you to download something from a tampered website or a website that they control or click on an attachment or stuff like that, now it seems that they decided to tamper with some localized software aggregates and sharers.
Basically just waiting for their victims to come to them and do
some actions on a website that they frequently visit. That's how you know that it's a targeted
attack because they apparently seem to have had a very good understanding of their victim's profile
and the types of websites that they visit so that they would know to compromise in advance
and simply just wait it out, just wait for the victims to come to them.
And so what were they, what sorts of websites were they taking advantage of?
It's just software aggregates and shares.
Basically the types of websites that you would use whenever you wanted to download some tools,
you know, like common archivers or unzipping tools or emulation tools, stuff like that.
So it's just regular traditional tools that you would normally use on your computer.
I see.
So suppose I'm someone who finds myself with one of these compromised tools.
So I install it on my system.
What would happen next?
Well, the interesting thing is that you wouldn't know that you've installed something malicious.
Now, the way this thing works is that they seem to have had a list of IP addresses
that belong to their targets.
So whenever they got a hit from one of those IP addresses visiting the compromised websites,
they would automatically redirect them to an infected tool.
So, for example, let's say I'm the victim.
I visit the website.
The attacker knows my IP address in advance. And I want to download, for example, let's say I'm the victim, I visit the website, the attacker knows my IP address in advance,
and I want to download, for example, 7-Zip.
Instead of downloading the legitimate 7-Zip,
the attacker would redirect my download request
to one of their own servers
that practically feeds me a tampered version of 7-Zip.
I would then install 7-Zip.
It has a perfectly valid and legitimate package. feeds me a tampered version of 7-zip. I would then install 7-zip.
It has a perfectly valid and legitimate package.
So after install, I wouldn't see anything peculiar,
nothing out of the ordinary would happen.
But it seems that the tool actually came with some additional components.
From what we were able to gather,
it seems to have had about four components,
mostly designed for persistency, data exfiltration, and stuff like that.
So to be clear here, I mean, the app's primary functionality was still in place. If you were
downloading a utility for zipping files, it was still able to do that.
utility for zipping files, it was still able to do that.
Exactly. So they actually used the legit setup, the legitimate file, the legitimate tool that you would otherwise get from the legitimate website. But they added some additional components
on the side, you know, just to make things interesting.
Well, take us behind the scenes here of some of the additional components,
what exactly they were up to.
So there's a launcher and persistence component.
Basically, the name is pretty self-explanatory.
It allows, it sets up the exfiltration, basically,
and command execution components
as a persistent task on the victim's machine.
And then it has a component
that's specifically designed to search
through every file, every drive, every folder you have
on your computer. It's a file searcher component. So all of these, especially the file searcher
component, actually accept instructions from the command and control infrastructure alone.
And since I was talking about the command and control infrastructure, what's interesting about
it is that we seem to have uncovered that it's it has multiple layers i mean you're the victim
doesn't directly communicate with the um the final cnc it goes through some additional steps for
example uh as soon as the victim is infected there's a level uh first layer that intercepts
the communication pretty much guaranteeing or making sure that um the indeed we're talking
about a legitimate victim it kind of validates the victim, if you
will, then it simply forwards that communication to a second layer CNC, which, if you will, it kind
of acts like a proxy. So it makes sure that indeed whatever the level two CNC is receiving comes from
a CNC that's already part of the infrastructure. And it's not somebody trying to impersonate a level one CNC.
It also validates that indeed, we're talking about a victim,
that a legitimate victim is actually trying to communicate.
And the level two then just forwards everything that it received
from the level one to the level three,
which is the final command and control infrastructure.
And to me, this is kind of interesting.
You don't see a lot of instances in which somebody goes through all this trouble.
And this is to cover their tracks, you presume?
So yeah, this is, if you will, it's a tactic to make things difficult for us,
to make things very difficult in terms of finding out who's behind it,
who owns the infrastructure, and what's the purpose for each layer sometimes.
It adds obfuscation to the entire problem.
And what sort of insights were you able to gain by sort of unwinding that,
discovering these multiple tiers?
Well, not much, actually.
We just found that this is the type of infrastructure that they seem to use.
It's likely that this is just part of it because we've backtracked this.
I mean, everything that we found with other research found in the past.
And it seems that these guys have a pretty good track record of having infrastructure based in Europe and other countries.
So it's likely that they have a much broader infrastructure.
So it's likely that they have a much broader infrastructure.
But this is just the scale that they've used in this particular campaign.
So it's likely that they're going to be using it.
It's likely that the full infrastructure is yet invisible to us.
It's like piecing together pieces of a puzzle.
One security researcher finds this three-layer infrastructure,
another security infrastructure finds an additional layer or finds another command and control server and so on.
It's difficult to have the full scope and magnitude
of the infrastructure that they're using.
And I guess this is pretty much the whole reason
why we call them an APT group.
They're advanced, persistent, they're knowledgeable,
skillful, and sometimes they have some sort of political benefactor or government benefactor.
Well, and one of the things you note here is that there seems to be a certain professionalism
to them, like they're keeping regular working hours.
Oh, yeah. So this is actually quite interesting because we've seen malware as a service,
you know, traditional malware that's being developed and delivered to the highest bidder,
acting pretty much like a software outsourcing company.
These guys, instead of showing up to work, they wake up at 9 a.m., sit in front of a computer.
They've got a project manager. They've got marketing. They've got sales.
And they just write their own piece of code during working hours.
APT groups take this to a whole new level.
I mean, if you're talking about a group that's potentially state-sponsored
and has some sort of political motivation,
it's literally just like a software outsourcing company.
These guys wake up at 9 a.m., they clock in,
and they clock out at 6 p.m.
And they pretty much act like security experts, if you will,
except they're sitting on the wrong side of the fence.
Because make no mistake, they are very good at what they do.
They have a very good understanding of how security solutions work,
of how operating system work, the internals of operating systems work. And in some cases, they are even more skilled than traditional security folk.
Now, in terms of detecting what they were up to, once they're within an environment,
how noisy are they? How stealthy are they? How likely are they to be discovered?
Right. So that's the interesting thing.
You probably won't know that they've breached your infrastructure
or exfiltrated some information before it's probably too late.
Because what they do is once they have that component that I said,
start searching for files, they look for files with specific extensions.
If they find some files that you know, they look for files with specific extensions. They, if they find some files that are
interesting, they just simply download them on a network computer that sits within the same
compromised infrastructure, or it sits, you know, on the victim's computer, basically a folder.
So they gather all the information they need from various folders, partitions, or even, you know,
network attached devices into a single folder on the victim's computer. Now, once they have all all the information they need from various folders, partitions, or even network-attached
devices into a single folder on the victim's computer. Now, once they have all that, they
simply create archives of it, they split them, and just send them to the command and control server.
You know, if you're a network administrator, you would see that your employee is probably
uploading some zip files to a file share or is some files online. But it's nothing out of the ordinary to upload a file, a zip file.
And they're encrypted as well, which adds to the difficulty in analyzing what's being
sent, I suppose.
Exactly.
Sometimes they're encrypted, sometimes they're password protected, making decompression
difficult to find out what exactly goes on.
And after they've successfully exfiltrated everything they needed to know,
they delete the archives, the folder, and they even have a kill switch
that they can use to simply remove the threat from the infected computer
and just be gone with it.
Just remove any forensic evidence that they might have left behind.
Well, let's touch on persistence here.
might have left behind.
Well, let's touch on persistence here.
Do they have ways of staying on a machine if they want to?
If they are discovered and the folks clean off their machine, for example,
are they able to come back?
It depends. I mean, most of the persistence mechanisms that we've seen
involve creating a new service and naming that service,
you know, like something, a Windows service would be named, like Print Spooler or, you know, stuff like that.
So if you don't know what you're looking for, if you're looking at that service and you don't know
what it does and it has a common name, you're probably not going to realize that it's a
malicious service. Of course, if you do a complete wipe or if you kill that service, it will probably be spinned up again once the computer reboots.
I see. Well, so what are your recommendations for folks to protect themselves against this?
Oh, well, so I think you should probably, you know, first and foremost, use a security solution.
It's not often that I get to stress this strong enough.
I've got a lot of complaints from people that say
they've been compromised or they've had some sort of security issue
because they either disabled some features from the security solution
or because at some point they decided they know better.
I actually have quite a few stories with people that got infected
by disabling the security solution because they believed the spear phishing email, you know, instead of the
security solution. So yeah, so start with that. Then it's probably best that you also, you know,
try to get your information and get your tools, get your software form from the legitimate website.
If you want to download applications, make sure you download them from the official website,
not sources that you are not usually trusted.
Or they are trusted, but they could be compromised.
So again, make sure that you're getting your information from the official website.
And if you're a company and you want to make sure
that even if something like this happens
and an employee ends up being affected,
I think it's also important to have the proper security stack
deployed within your infrastructure.
I mean, look, now since everybody's working from home,
I think most companies think that their employees
are usually the weakest link,
basically because they're no longer
within the company infrastructure
and they're relying on their home network.
Address that, if you will.
You need to have some sort of technologies deployed on the endpoint,
on the employee's endpoint, that do some sort of network analysis,
some sort of policy enforcement in terms of what these employees can install, cannot install, and stuff like that.
There are security technologies out there that will offer you even the opportunity to assess your employee's home network remotely.
For example, this is something that I've recommended since the pandemic.
If your employees start dialing into your infrastructure from their home network,
wouldn't it be interesting if you could just, you know, take their IP addresses and just run a port scan on them?
Just to make sure that, you know, maybe their router is exposing the router control interface online.
Maybe they have some custom shares that they've, you know, enabled without knowing on their routers,
and they're publicly exposing files online.
Do some sort of pen testing, if you will, on your employees' home network,
and let them know about it, because otherwise that's just mean.
Not very sporting of you, right?
Exactly.
So everybody needs to be aware that we're living, this is, we're living some interesting times
and everybody working from home,
it's natural that some companies might feel
that employees potentially can be more at risk
than ever before,
especially now that they work from home.
Now, if until now they received, for example,
a spear phishing email,
they could simply just, you know,
ask your buddy to the left or to the right, hey, is this an email coming from John, you know, a spear phishing email, they could simply just ask your buddy to the left
or to the right, hey, is this an email coming from John, the CFO? Oh, no, it's the CFO's on vacation.
Well, now that they're home, they've got nobody to ask. And contacting your IT department
is not really something that a lot of employees want to do. So it's important to let them know
that the IT department is there to help them. Any questions they may have, it doesn't matter how dumb they may be at first,
they're there to answer them and to educate them.
I suppose with this strong pity group,
how targeted they are with the people that they're trying to hit,
this doesn't sound like a broad campaign that's just trying to vacuum up everybody on the Internet.
They know who they're after here.
Exactly.
So, again, just because they had that, I mean, we actually saw a list.
They had a list of IP addresses that they were specifically waiting for to connect to those compromised websites.
So that means they did their homework
in advance. So they did a lot of investigation, if you will, on who their victims are, what their IP
address are, especially now potentially that they, you know, some of them might have worked from home.
So they knew exactly who they were targeting and they knew their habits. They knew that they would
visit those websites frequently. So, you know, it was just a matter of waiting it out.
Do you have any sense for how successful they were?
Well, it's difficult to say because you don't know how much information they actually managed
to get from their victims and how many victims they successfully compromised.
So what we do know is that they were waiting for a very limited number of victims.
We know that they had the capabilities of exfiltrate pretty much everything they needed or wanted.
But in terms of what they actually and how much they actually managed to do damage,
in terms of damage, it's difficult to estimate.
and how much they actually manage to do damage.
In terms of damage, it's difficult to estimate.
Our thanks to Liviu Arsene from Bitdefender for joining us.
The research is titled Strong Pity APT,
Revealing Trojanized Tools, Working Hours, and Infrastructure.
We'll have a link in the show notes. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. Thank you.