Mercenary Hacking Group Deploys Android Malware

StrongPity Campaign Targeted Syrian E-Governance Website

Hack-for-hire group StrongPity deployed an Android malware to target Syria’s e-government site visitors as part of its latest cyberespionage campaign, a new report by security firm Trend Micro details.

See Also: Live Webinar | Improve Cloud Threat Detection and Response using the MITRE ATT&CK Framework

StrongPity, also known as Promethium, has been active since 2016, and was previously linked to espionage campaigns that targeted the Kurdish community as well as the Turkish military.

In this latest campaign, the hacking group used watering hole techniques to compromise Syria’s e-government site and then replaced the official app with a Trojanized version. The attackers then used the app to exfiltrate files from victims’ devices, the report adds.

In addition to the Android version of the malware, the campaign also deployed an app to target Windows users. The report further notes that both the versions of the apps are actively being developed by the hackers with new capabilities.

“We first learned about the sample from a thread shared on the MalwareHunterTeam Twitter. Based on the discussion thread, we learned that the shared sample is a Trojanized version of the Syrian e-gov Android application that would steal contact lists and collect files with specific file extensions from its victim’s device,” the report says. “To the best of our knowledge, this is the first time that the group has been publicly observed using malicious Android applications as part of its attacks.”

Attack Tactics

The report says the latest campaign began with the attackers hosting a malicious APK (Android Application) which is downloadable from the Syrian E-Gov website. The report says this file has been active since May 21 based on the file timestamp.

To replace the legitimate app, the hackers sign a malicious version of the app with a different certificate and then repackage it to appear like the original version, Trend Micro says.

In the next stage of the attack, the hackers tweak the app to request additional permissions on the infected devices and then add malicious components to trigger the infection. The malware then proceeds to communicate with the command and control server, save encrypted payloads into an Android directory and then decrypt the file.

The malware then collects data from the victim’s device such as contact data and information regarding available Wi-Fi networks. It then searches through the device files and harvests all files.

In the Windows version, the attackers use the same tactics of repackaging the original version of the app to infect the victims and exfiltrate the data, the report notes.

“Although there are no previously known malicious Android applications attributed to the StrongPity group, we strongly believe that the threat actor is in the process of actively developing new malicious components that can be used to target Android platforms,” the report says. “We believe that the threat actor is exploring multiple ways of delivering the applications to potential victims, such as using fake apps and using compromised websites as watering holes to trick users into installing malicious applications.”

StrongPity Activities

The hack-for-hire group has been behind several attacks against enterprises and government agencies since 2016.

For instance, in August 2020, security firm Bitdefender reports StrongPity targeted an international architectural and video production company serving high-end real estate ventures for suspected corporate espionage at the behest of a rival firm (see: Luxury Real Estate Rivalry Involved Hired Hackers ).

A July 2020 report by AT&T Cybersecurity found another StrongPity campaign that used a malicious version of WinBox router management software to target victims.