The Promethium APT, also refered to as StrongPity, has been found to be involved in a new series of attacks, risking constant exposure.
What’s going on?
The activities of the hacking group can be traced back to 2012 and are associated with political cyber-espionage. However, the threat actor is expanding its reach and attempting to infect victims across various countries, instead of focusing only on Turkey and Syria. According to the recently collected samples, the targets belong to Vietnam, Cambodia, India, and Canada. Moreover, four trojanized setup files have been spotted, including Firefox, 5kPlayer, DriverPack, and VPNpro.
About the trojanized installers
- A custom, digitally signed bundler or dropper is used that incorporates the malicious elements, along with the legit software.
- The encryption varies from installer to installer, although the key length remains unaltered.
- According to observations by Bitdefender, it is believed to be a state-sponsored group.
- The IOCs associated with it can be found here.
How does it work?
- The group's Comand & Control (C2) servers contain three infrastructure layers: proxy servers, VPNs, and IP addresses receiving forwarded data. A total of 47 servers were traced with various functionalities.
- Around 30 C2 servers have been associated with the threat actor’s highly sophisticated malware - StrongPity3.
- The group targets a higher number of victims by bolstering its toolkit via the use of new trojanized setup files that deploy the StrongPity3 malware.
The bottom line
The bottom line is that Promethium APT is a resilient threat actor since it has not been subdued even after repeated exposure. They seem to be determined to attain their mission as shown by their recent attack campaigns. Based on the characteristics of the group revealed so far, some experts believe it to be a nation state-backed operation.