Bitdefender: The StrongPity cyber espionage group is targeting especially the Kurdish community in Syria. It could be linked to Turkey, but there aren’t direct forensic evidences
StrongPity targets victims in Turkey and Syria using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic investigations. It has been discovered by Bitdefender cyber security experts. The APT leveraged Trojanized popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking. The data gathered suggests the attackers are interested especially in the Kurdish community, placing the threat in the geo-political context. The samples used in one of the attackers’ campaigns seems to have been timestamped starting October 1st 2019, coinciding with the launch of the Turkish Operation Peace Spring into north-eastern Syria. While there is no direct forensic evidence suggesting that the group supported Ankara military operations, the victim’s profile coupled with the samples make for an interesting coincidence.
The cyber security experts: The APT exploits Trojanized popular tools and victims are screened based on a targets list
According the cyber security experts, all files investigated pertaining to the tainted applications appear to have been compiled from Monday to Friday, during normal 9 to 6 UTC+2 working hours. This strengthens the idea that StrongPity could be a sponsored and organized developer team paid to deliver certain “projects.” Victims are screened based on a targets list, suggesting that the APT can deliver the tainted version of the Trojanized applications if the victim’s IP address matches one found in the file, otherwise a legitimate version of the application would be served. However, the investigated ones revealed that any valid connection would get the malicious installer instead of the clean one. Once the victim is compromised, components pertaining to persistency, command and control communication, and file searching are deployed on the victim’s machine.