Home Malware Programs Trojans StrongPity

StrongPity

Posted: July 1, 2020

StrongPity is spyware that collects information from Windows systems. StrongPity may disable various security features as part of its mission, which emphasizes exfiltrating Microsoft Office files. Users should interact with new software downloads carefully for avoiding infections and let their anti-malware solutions remove StrongPity as soon as possible after an attack.

Pity Those Who Think They're Downloading Something Safe

The threat actor Promethium APT, wielder of spyware like FinSpy and, now, StrongPity, is showing an expansion of interests in diverse victims. While this change to global targets in regions like Canada and India doesn't indicate any slacking of attacks against Turkish users, it does play into the threat actor's theme of slow but constant self-improvement. Their primary tool of the last few years, the spyware StrongPity, shows the same behavior inside its code.

StrongPity is a replacement for FinSpy, and, unlike its predecessor, is a tool that's unique to the Promethium APT. Although its installation may happen in other ways, most verifiable attacks use software installers for legal programs, ranging from file archivers to Virtual Private Network tools to Web browsers. The threat actor hijacks the download through unknown exploits and lets the installation proceed – with the addition of the hidden payload.

StrongPity searches for and exfiltrates (or uploads to the attacker's server) documents, especially, Microsoft Office formats. Over time, malware experts can confirm regular updates to StrongPity, as well, with an emphasis on evasion. Different builds change up the spyware's C&C connectivity method, its persistence (from a Registry entry to a Windows service), and add protections like not executing inside of sandboxes, which are typical features for analysis environments.

Out-Strongarming Ancient Spyware Operations

While the original StrongPity, StrongPity2, and StrongPity3 all show technical details apart from each other, the progression is a linear one, and most of the payload is the same, from the victim's point of view. It always collects documents and similar data for uploading to a remote server and suppresses any visible symptoms of its presence. The Promethium APT has a suspected interest in Kurdish-Turkish conflicts, and some of its infection strategies tailor the language to Turkey, specifically, but its attacks are now happening worldwide.

Due to the unusually advanced techniques in StrongPity's infection vectors, Windows users may need to take extraordinary precautions. Scanning downloads, even from safe websites and involving files with signed certificates, is a possible defense against bundled Trojan installers. Users also should, as always, assume that the spyware may compromise passwords and similar credentials, disconnect from the Web and re-secure their accounts.

Up-to-date, professional anti-malware solutions retain a reliable probability of flagging this threat and are the general recommendation for removing StrongPity infections from any already-compromised devices.

It's a pity that talented and disciplined programmers will turn their talents to maintaining programs like StrongPity. In better hands, with better moral fiber, such skills could net an employee a respectable job – and one with fewer dangers than operating spyware.

Related Posts

Loading...