StrongPity, an APT group active since at least 2012 and publicly reported for the first time in 2016, although they are still known as Promethium, these were the authors of the attacks on Kurdistan through watering hole attacks, these attacks consist of the infection of websites of third parties used by the end users to whom you want to compromise. It is a very common way of attacking organizations, since its success rests not so much on security flaws in the technological infrastructure itself, but on the intelligence analysis practiced on the habits of the end users.<\/p>\n\n\n\n
StrongPity’s APT focuses on finding and extracting data from infected machines and runs a number of bogus websites that lure users in with a variety of software tools. These tools are Trojanized versions of original applications.<\/p>\n\n\n\n
\u25b8The APT selectively targets victims using a predefined IP list. If a victim’s IP address matches the one in the installer configuration file, the group delivers a Trojan version of the application, otherwise a legitimate version.<\/em><\/strong><\/p>\n\n\n\n \u25b8Once installed, the malware activates an exfiltration component that executes a file search mechanism with the task of looping through drives, searching for files with some specific extensions defined by the attackers.<\/em><\/strong><\/p>\n\n\n\n \u25b8If found, the files are stored in a temporary file (.ZIP). Then divide them into hidden encrypted files (.SFT) and send them to the C2 server. Finally, these files are removed from the disk to hide any evidence of exfiltration.<\/em><\/strong><\/p>\n\n\n\n \u25b8The APT uses two types of servers: download servers that propagate the malicious installer used in the initial compromise of victims, and C2 servers.<\/em><\/strong><\/p>\n\n\n\n For now, it seems that StrongPity It wants to expand territory as recently, an investigation was conducted on a malicious Android malware sample, believed to be attributable to this group, which was posted on the Syrian e-Gov website. As far as we know, this is the first time that the group has been publicly observed using malicious Android applications as part of their attacks, but we will know that when they publish more about this threat.<\/p>\n\n\n\n Also see: StrongPity, an APT group active since at least 2012 and publicly reported for the first time in 2016, although they are still known as Promethium, these were the authors of the attacks on Kurdistan through watering hole attacks, these attacks consist of the infection of websites of third parties used by the end users to […]<\/p>\n","protected":false},"author":1,"featured_media":3425,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[36],"class_list":["post-3424","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\n
Prometheus and Grief, 2 New Ransomware Groups<\/a>
FIN7, a dangerous group of hackers<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"