StrongPity hacker group changes tactics to evade detection and remain persistent

• The APT group’s efforts to change attack techniques have allowed it to remain hidden despite its malicious activities having been exposed.
• Although StrongPity has only made minimal changes to its code and technique, it has proved highly effective.

Cyberespionage campaigns can last can last anywhere between months and years. Attackers involved in such campaigns always take pains to ensure that their malicious activities remain undetected by the victims. In the event that their activities are exposed, advanced persistent (APT) groups often go dark for a while and resurface with new tools and techniques.

The StrongPity cyberespionage group, which operates the StrongPity2 (aka Promethium) malware is also one such APT group. According to security researchers at Cylance, the hacker group made minor changes to its attack techniques in efforts to evade detection and continue its stealthy attacks.

Although StrongPity has only made minimal changes to its code and technique, it has proved highly effective. In March 2018, the APT group’s malicious activities, targeting Egypt, Turkey, and Syria were exposed by experts at Citizen Lab.

“In March, almost immediately upon publication by Citizen Lab, Cylance observed the threat actors behind the malware described in their report change tack,” Cylance researchers said in a blog. “We believe the malware is likely part of yet another commercial (grayware) solution sold to governments and law enforcement agencies, and we have reason to believe it bears a strong connection to a company based in Italy.”

Minor modifications - big payout

According to Cylance researchers, just two months after Citizen Lab’s report exposed StrongPity’s activities, the group began using a new infrastructure with new IP addresses, domains, and minor code obfuscation changes.

In late March the APT group pushed sensitive strings such as C2 domains on the stack in Unicode. However, in May, the group pushed Unicode strings onto the stack and XOR the values against a byte, subtracting one from that value.

“The group or groups behind Promethium/StrongPity will likely continue to adapt to security publications about them. It’s clear they have significant resources at their disposal and will continue to evolve as necessary,” Cylance researchers said. “Only minor adjustments are needed to be effective as the information security world constantly shifts its focus to the next big news item.”