An APT group active since at least 2012 and first publically reported in 2016, StrongPity has mostly had countries like Italy and Belgium in its focus. Although, it has now expanded its range and extended its malice to countries like Northern Africa, Europe, Asia, and Canada as well.
Finding and exfiltrating data from infected machines are the main focus of the APT along with running a series of fake websites that lure users with an array of software tools. These tools are nothing but infected versions of legitimate applications.
- Using a predefined IP list the APT selectively targets its victims. The group delivers a trojanized version of the application, otherwise, a legitimate version, if a victim’s IP address matches the one in the installer’s configuration file.
- Upon installation, the exfiltration component within the malware is triggered, executing a file-searching mechanism tasked for looping via drives, looking for files with some specific extensions defined by attackers.
- If found, the files are stored in a temporary (.ZIP) archive. Later, they are sent to the c2 server after being split into hidden (.SFT) encrypted files.
- Two types of servers are used by the APT – C2 servers and download servers that propagate the malicious installer used in the initial compromise of victims.
Several other APT groups are also offering their services and have been observed expanding their scope of attacks.
- In early-December, DeathStalker, another hacker for hire group was observed using a new PowerShell backdoor in their attacks.
- A global espionage campaign was executed by CostaRicto on multiple continents.
Hackers-for-hire mercenaries are gaining popularity and allegedly many nations have employed their services. Consequently, our internal experts suggest organizations stay protected by deploying web and email filters on the network, segmentation of any critical networks, and advising their employees to use legitimate software downloaded from official sources only.
To read more, please check eScan Blog
