StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure


Bitdefender researchers have recently found the APT group StrongPity has been targeting victims in Turkey and Syria. Using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic investigations, the APT group leveraged Trojanized popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking.

The data gathered while investigating this group suggests the attackers are interested especially in the Kurdish community, placing the threat in the geo-political context of the constant conflicts in the region.

Interestingly, the samples used in one of the attackers’ campaigns seems to have been timestamped starting October 1st 2019, coinciding with the launch of the Turkish offensive into north-eastern Syria, code-named Operation Peace Spring. While there is no direct forensic evidence suggesting that the StrongPity APT group operated in support of Turkish military operations, the victim’s profile coupled with the timestamps on the analyzed samples make for an interesting coincidence.

Key Findings:

  • Potentially state-sponsored APT Group with political motivation
  • Ability to search for and exfiltrate any file or document from a victim’s machine
  • Watering hole tactic that selectively targets victims in Turkey and Syria using pre-defined IP list
  • 3-tiered C&C infrastructure for covering tracks and thwarting forensic investigation
  • Use of fully working Trojanized popular tools

Interestingly, all files investigated pertaining to the tainted applications appear to have been compiled from Monday to Friday, during normal 9 to 6 UTC+2 working hours. This strengthens the idea that StrongPity could be a sponsored and organized developer team paid to deliver certain “projects.”

Victims are screened based on a $targets list, suggesting that attackers can deliver the tainted version of the Trojanized applications if the victim’s IP address matches one found in the file, otherwise a legitimate version of the application would be served. However, the investigated ones revealed that any valid connection would get the malicious installer instead of the clean one.

Once the victim is compromised, components pertaining to persistency, command and control communication, and file searching are deployed on the victim’s machine. Based on instructions, the exfiltration component runs a file searching mechanism responsible for looping through drives looking for files with specific extensions. If found, they are placed in a temporary zip archive. They will be split into hidden .sft encrypted files, sent to the C&C server, and ultimately deleted from the disk to cover any tracks of the exfiltration.

For a more detailed investigation into the analyzed infrastructure behind the StrongPity APT, check out the whitepaper. An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known indicators of compromise can be found in the whitepaper.