APT Gang Distributed Android Trojan via Syrian e-Government Platform

A cybercriminal gang associated with an advanced persistent threat (APT) has been found in connection with a new campaign that is distributing Android malware through the Syrian e-Government Web Portal, showing that the attacker has expanded his arsenal of tools for penetrating targets, according to The Hacker News

It is suspected that StrongPity, also referred to as Promethium by Microsoft, is allegedly active since 2012, typically focusing on targets in Syria and Turkey. In the mid-2020s, the threat actor was linked to a wave of operations that relied on watering-loop attacks and manipulated installers to infect targets with malware and abuse the popularity of genuine programs.

The last process is no different, as benign software was repackaged into Trojanized variants to support the attacks. The malware is believed to have been created in May 2021, when the app was disguised as a Syria e-Gov Android application, with a manifest file AndroidManifest.xml modified to explicitly request additional phone permissions, including the ability to read contact information, access cellular and WiFi information, write to external storage and keep the device open.

Even though some of the hackers’ campaigns were exposed, they continued their hacking operations 

The malicious app is designed to perform tedious tasks in the background, triggering a request to a remote control server (C2). In turn, the server responds with encrypted payloads containing a configuration file that allows the malicious program to change its configuration behavior and update its C2 server address. Ultimately, the very modular implant is able to spy on data contained on the infected device, such as contacts, photos, PDF files, security keys, Excel and Word documents, and files, all of which are exfiltrated to the C2 server, to name a few.

Although there are no public reports of StrongPity attacking with malicious Android apps, Trend Micro’s attribution stems from the fact that they are using a C2 server that was specifically documented by AT &T’s Alien Labs in July 2019 and that exploited contaminated versions of WinBox‘s router management software.

According to a Cisco Talos disclosure from last year regarding Promethium’s resilience in time, researchers say its campaigns were exposed a few times, but it was not enough for the cybercriminals who deployed the malware. The group’s determination to fulfill its purpose lies in the fact that it is not afraid to launch new initiatives even if it is exposed.