Following the advisory issued by the Australian Government warning that Australian businesses and government departments were currently been targeted by malware favored by several Chinese Advanced Persistent Threat (APT) groups, researchers at several security firms have uncovered more APT activity. This time related to the group code-named Promethium. In two separate reports it has been revealed the Promethium, also referred to as StrongPity, has been seen deploying a set of new weaponized trojans that abuse the popularity of legitimate applications.
The group is believed to have been active since 2012, with some reports even suggesting the group was formed as early as 2002. Traditionally, Promethium has focused activity on targeting organizations and individuals in Turkey and Syria. Some campaigns even included targets in Italy and Belgium. The group’s main objective is intelligence gathering and has been exposed on a number of occasions by both security researchers and civil rights groups. All of which seem to have not bothered the group and its activities in the slightest as the group is widely regarded as one of the most prolific intelligence-gathering groups seemingly driven by political motivations.
The latest campaigns have been uncovered by both Cisco Talos and Bitdefender, who have published their findings in recently released reports. Both security firms reached similar conclusions in that not only has the APT group expanded its victim base but has also upgraded its toolbox to better turn targets into victims. Researchers from Cisco Talos managed to trace 30 new command and control servers to group activity as well as five surges in activity supported by the extended command and control structure.
All of which have been used to broaden the number of targets now being pursued by the group, which now includes organizations in Colombia, India, Canada, and Vietnam. Researchers have termed the latest malware used in these campaigns as StrongPity3, with the previous version being referred to as StrongPity2. In order to infect machines, the group has created four new weaponized trojans pretending to be setup files for Firefox (a browser), VPNpro (a VPN client), DriverPack (a pack of drivers) and 5kPlayer (a media player).
The exact initial infection vector is still not known but the use of weaponized setup and installation files is a tactic favored by the group. In the past the initial vector would be a form of watering hole attack. These attacks tend to target websites known to be visited by victims, the attacker then uses one or several exploits to install malware onto the victim’s machine. Another method the group has used in the past involves intercepting HTTP requests as covered in a 2018 Citizen Lab report where it was found that intercepted traffic would be redirected to websites under the attacker’s control. While the initial attack vector is unknown, what is known is what happens when the malicious setup files are executed. Cisco Talos researcher’s summarised what happens ext as well as the overall purpose of the campaign as,
“The trojanized setup will install the malware and the legitimate application, which is a good way to disguise its activities. In some cases, it will reconfigure Windows Defender before dropping the malware to prevent detection.
This group mainly focuses on espionage, and these latest campaigns continue down the same path. The malware will exfiltrate any Microsoft Office file it encounters on the system. Previous research even linked PROMETHIUM to state-sponsored threats. The fact that the group does not refrain from launching new campaigns even after being exposed shows their resolve to accomplish their mission. PROMETHIUM has been resilient over the years. Its campaigns have been exposed several times, but that was not enough to make the actors behind it to make them stop.”
2019 and 2020 Campaigns
In the campaigns documented by Citizen Lab, researchers discovered that Promethium copied and rebranded FinSpy, spyware that can be purchased legally although the moral implications of the spyware are hotly debated, to StrongPity2 which was used to spy victims in Turkey and Syria. The group has seemingly upgraded the malware to the above-mentioned StrongPity3 in order to target new victims in new regions, including South Africa, France, and Germany as well as those mentioned above. The main differences between StrongPity2 and StrongPity3 come down to how it achieves persistence on the victim’s machine. This upgrade was described by researchers as,
“StrongPity3 is the evolution of StrongPity2, with a few differences. The latter does not use libcurl anymore and now uses winhttp to perform all requests to C2. The usage of the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key has a persistence mechanism that has been replaced by the creation of a service. This service changes its name from package to package. The service executable's only job is to launch the C2 contact module upon service startup. The remaining malware flow is the same on both versions.”
In the Bitdefender report, a matter of particular interest to the researchers was the trojanized installers. Bitdefender’s researchers found more than the four listed above are used to install the malware. The malicious installers pretended to be installation packages from a wide array of applications including applications for compression like 7-zip and WinRAR archiver; security software such as McAfee Security Scan Plus; a file recovery application called Recuva, applications for remote connection like TeamViewer; a chat application such as WhatsApp; and even different tools and utilities like Piriform CCleaner, CleverFiles, Disk Drill, DAEMON Tools Lite, Glary Utilities, and RAR Password Unlocker.
With such a wide range of application needs the attackers hoped to find at least one they could pretend to solve for a victim. The installers all featured self-signed certificates that were fundamentally similar to the legitimate application. This would make detection harder as security software applications to detect the malware. Another interesting note based off of Bitdefender’s research is that the files were retrieved and compiled by Promethium during expected work hours, namely, 9 am to 6 pm for those living in UTC +2 time zones.
Researcher’s for Cisco Talos concluded that,
“The PROMETHIUM threat actor is dedicated and resilient, exposing them hasn't refrained them from moving forward with their agenda. After first being documented, they changed their toolkit but not their techniques or procedures. Since then, their toolkit has been the same, with just enough updates to keep their activities as efficient as possible. During this period, the victimology has expanded behind their initial focus in Europe and the Middle East to a global operation targeting organizations on most continents…These characteristics can be interpreted as signs that this threat actor could in fact be part of an enterprise service for hire operation. We believe this has hallmarks a professionally packaged solution due to the similarity of each piece of malware being extremely similar but used across different targets with minor changes.”
When looking at previous reports and articles investigating Promethium it appears that their mission has remained the same. Despite being exposed on numerous occasions the group has still been dedicated to gathering intelligence on certain targets, new campaigns have only served to expand the number of targets and thus the number of victims has increased. The Citizen Lab report mentioned above goes into great detail how campaigns against Turkey, Syria, and Egypt were conducted and focussed on the impact on human rights such campaigns have, they did have some advice on how to better defend against these attack campaigns as well as “legal” spyware in general. Researchers advised,
“The findings of this report also illustrate the urgent need for ubiquitous adoption of HTTPS by website developers. Handling web traffic over unencrypted channels leaves users vulnerable to network injection techniques that may expose them to spyware, unwanted advertising, or other Internet scams. Particularly on sites offering software downloads (some of which may be billed as “secure”), companies and developers responsible for such platforms must ensure the proper use of encryption. Ultimately, the use of products that provide network injection features on public ISP networks, as identified in this report, represents a major global public safety risk.”
As Promethium has shown that it favors watering hole attacks individuals and organizations can take a few security measures to prevent becoming victims. The first bit of advice is the staple advice handed out but can be easily ignored, keep software up to date. Secondly, enable two-factor authentication wherever possible. Lastly, utilize a virtual machine wherever possible. Running your web browser in a virtual environment will limit access to the local system, compartmentalize systems and tools, and can stop watering hole attacks from succeeding.