- The threat actor behind StrongPity is not deterred despite being exposed multiple times over the past four years.
- They continue to expand their victimology and attack seemingly non related countries.
- This kind of continuous improvement suggests there is a possibility that this is an exported solution for other actors to use.
The PROMETHIUM threat actor — active since 2012 — has been exposed multiple times over the past several years.. However, this has not deterred this actor from continuing and expanding their activities. By matching indicators such as code similarity, command and control (C2) paths, toolkit structure and malicious behavior, Cisco Talos identified around 30 new C2 domains. We assess that PROMETHIUM activity corresponds to five peaks of activity when clustered by the creation date month and year.
Talos telemetry shows that PROMETHIUM is expanding its reach and attempts to infect new targets across several countries. The samples related to StrongPity3 targeted victims in Colombia, India, Canada and Vietnam. The group has at least four new trojanized setup files we observed: Firefox (a browser), VPNpro (a VPN client), DriverPack (a pack of drivers) and 5kPlayer (a media player).
How did it work?
Talos could not pinpoint the initial attack vector, however, the use of trojanized installation files to well-known applications is consistent with the previously documented campaigns. This leads us to believe that just like in the past, the initial vector may be either a watering hole attack or in-path request interception like mentioned in a CitizenLab report from 2018.
The trojanized setup will install the malware and the legitimate application, which is a good way to disguise its activities. In some cases, it will reconfigure Windows Defender before dropping the malware to prevent detection.
This group mainly focuses on espionage, and these latest campaigns continue down the same path. The malware will exfiltrate any Microsoft Office file it encounters on the system. Previous research even linked PROMETHIUM to state-sponsored threats. The fact that the group does not refrain from launching new campaigns even after being exposed shows their resolve to accomplish their mission.
PROMETHIUM has been resilient over the years. Its campaigns have been exposed several times, but that was not enough to make the actors behind it to make them stop.
Potential infection vectors
Despite the numbers of samples and the quantity of C2 servers, Cisco Talos did not identify the infection vectors. We have no evidence that the websites of the real applications were compromised to host the malicious installer. The infection vector does not seem to be related to a supply-chain attack, either.
Based on the previous research from CitizenLab and the artifacts from the new campaigns, we estimate that the infection vector could be the same as in 2018. When the targeted users tried to download a legitimate application on the official website, the ISP performs an HTTP redirect. For more information about the methodology used in the past, we recommend reading the paper from CitizenLab.
The report from CitizenLab highlights the intervention of service providers during the initial attack vector implying state support. It also refers to the change from FinSpy, a well-known malware developed by a lawful interception company, to StrongPity2. At the time, they concluded that most of the victims were in Turkey and Syria.
Our research indicates that the victims are now in many different regions of the world.
Countries affected by StrongPity
The many different versions of the malware, coupled with the fact that the domains are hardcoded indicates that a tool such as a Builder is used to generate the binaries. We can conclude that the PROMETHIUM threat actor is interested in new countries or the malicious framework developed by this threat actor is exported in more countries than previously thought.
Trojanized Firefox Installer
One interesting detail, which is aligned with CitizenLab’s claim that Turkish people were the most targeted, is the Turkish language version of the Firefox Installer.
The fact we clustered these into different campaigns does not mean that they have been conducted sequentially. In fact, our analysis of each domain showed that these are overlapping campaigns — some of them going back to 2018.
Domain activity timeline
Some of these domains may already be sinkholed, thus posing no threat. However, the fact that the number of hits is still high shows that the infection vectors are still active. It is interesting to note that this threat actor uses HTTPS on the C2. They always use self-signed certificates.
Main differences between StrongPity2 and StrongPity3
StrongPity3 is the evolution of StrongPity2, with a few differences. The latter does not use libcurl anymore and now uses winhttp to perform all requests to C2. The usage of the HKCUSoftwareMicrosoftWindowsCurrentVersionRun registry key has a persistence mechanism that has been replaced by the creation of a service. This service changes its name from package to package. The service executable’s only job is to launch the C2 contact module upon service startup. The remaining malware flow is the same on both versions.
The dropped files are now stored in a folder located in C:DOCUME~1<USER>~1LOCALS~1Temp always following the same pattern similar to the following: 4CA-B25C11-A27BC. The C2 path pattern has also changed, we have identified the following paths: ini.php, info.php and parse_ini_file.php, which are no longer random nor animal named based.
We found four different trojaned binaries in use since July 2019. The 5kplayer, driver pack and Firefox trojanized software use a service to achieve persistence. The VPNpro trojanized application uses an AutoRun registry key, as mentioned in the publication released before July 2019.
Anti-virus checks on Firefox trojanized installer
Before writing the toolkit into the hard drive, the fake Firefox installer executes a PowerShell command that will add the directories used by the malware to the Windows Defender exclusions list and prevent sample submission at the same time. After that, it will check if ESET or BitDefender antivirus are installed before dropping the malware. If they are installed, nothing will be dropped.
We’ll now break down the 5kplayer trojanized installer. The setup deploys three files which are part of the toolset: rmaserv.exe, winprint32.exe and mssqldbserv.xml.
As the execution flow shows, the setup will only execute rmaserv.exe. The remaining modules are executed by rmaserv.exe when this executable will be executed as a service.
The malicious service: rmaserv.exe
This binary has two main features. If it is executed with the “help” parameter, it will install a service to execute itself as a service. This parameter is used by the trojanized installer. Here is the code to perform this task:
rmaserv.exe entry function
This follows the design pattern described in the Microsoft Windows documentation, which can be found here. This has a notable side effect: if rmaserv.exe is executed isolated on a sandbox (so without the parameter), the service is not created. Consequently, the execution won’t do anything and the dynamic analysis will be skewed.
The second main feature is the service. This service has two features. First, it will launch the winprint32.exe executable (C2 contact module) and then it will wait for an event. This event is the mechanism used by the C2 contact module to alert the service executable to perform the cleaning of all components.
C2 contact module: winprint32.exe
Regularly, the service checks if a user is logged, by checking if Explorer is running. Once explorer.exe is running, the service configures the environment and executes the C2 contact module: winprint32.exe.
This module is responsible for launching the document search module, contact the C2 and exfiltrate the collected documents. It will create a mutex with the name “YeucqCcpgapiZISEdRSNiL“. Afterward, it will launch two processes:
Then, it will start an infinite loop. The first step inside the loop is to contact the C2 over HTTPS. On the first contact, it will send an identification of the victim based on the hard disk volume serial number.
Contact C2 loop
After a 6,050- milliseconds delay, it will search for “sft” files (the encoded archive containing the documents to be exfiltrated), which will then be exfiltrated to the C2.
Afterward, it will sleep for another 6,050 milliseconds before restarting. This module can be executed independently of the rest of the toolkit. Talos didn’t identify any kind of anti-sandboxing mechanisms on it, either.
Document search module: Mssqldbserv.xml
This module has been described before in the article here. The purpose of this tool is to parse the hard drive for files with a specific extension and create an archive with these files. Finally, the archive is encoded before being sent to the C2.
mssqldbserv.xml main function
However, there are some interesting details we decided to share. Clearly, this was not originally designed to be executed in the background. The first instructions in the main function hide the console window from the user. Afterward, the module will delete old “sft” files assuming they were already exfiltrated. After a pause of 6,500 milliseconds, it will start its search for the targeted files.
SFT file creation routine
Using the working directory as a base path, which in this sample case is C:DOCUME~1~1LOCALS~1Temp4CA-B25C11-A27BC, each selected file will be compressed into the file kr.zp. The kr.zp data is then read and encoded using the same unusual encoded scheme.
byte = byte XOR (byte >> 4)
If the file is larger than 2048*53 bytes (~ 106kb) it is split into chunks and saved into the sft files according to the naming convention below.
Since this module does not have a loop, it will only be executed at the communications module startup, which means that it is only executed once per service start.
Our initial analysis in a sandbox showed that the C2 contact module attempts to execute this file, searching for it in the same path as the document search module, which we further corroborated with manual analysis. However, we couldn’t obtain this file. All files in the toolkit are dropped by the trojanized software and it’s clear that the C2 contact module expects this file to exist (the specific name changes form dropper to dropper). None of the trojanized software we analyzed dropped this file, manual analysis showed that there were no checks to decide whether to drop it. One possibility is that these are remains of old code that was abandoned in the meantime.
The PROMETHIUM threat actor is dedicated and resilient, exposing them hasn’t refrained them from moving forward with their agenda. After first being documented, they changed their toolkit but not their techniques or procedures. Since then, their toolkit has been the same, with just enough updates to keep their activities as efficient as possible. During this period, the victimology has expanded behind their initial focus in Europe and Middle East to a global operation targeting organizations on most continents.
These characteristics can be interpreted as signs that this threat actor could in fact be part of an enterprise service for hire operation. We believe this has hallmarks a professionally packaged solution due to the similarity of each piece of malware being extremely similar but used across different targets with minor changes.
Additionally, as explained by Citizen Lab, we saw in the past a lawful Interception tool was used instead of StrongPity. This usage could corroborate our theory.
Ways our customers can detect and block this threat are listed below.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such as this automatically.
Email Security can block malicious emails sent by threat actors as part of their campaign.
Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), Cisco ISR, and Meraki MX can detect malicious activity associated with this threat.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.
Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.