As we reported in September, in campaigns we detected in two different countries, man-in-the-middle attacks had been used to spread FinFisher, with the “man” in both cases most likely operating at the ISP level.
Continuing our research into FinFisher – the infamous spyware known also as FinSpy and sold to governments and their agencies worldwide – we noticed that the FinFisher malware in our previously-documented campaign, which had strong indicators of internet service provider (ISP) involvement, had been replaced by different spyware. Detected by ESET as Win32/StrongPity2, this spyware notably resembles one that was attributed to the group called StrongPity. As well as detecting and blocking this threat, all ESET products – including the free ESET Online Scanner – thoroughly clean systems compromised by StrongPity2.
As we reported in September, in campaigns we detected in two different countries, Man-in-the-Middle (MitM) attacks had been used to spread FinFisher, with the “man” in both cases most likely operating at the ISP level. According to our telemetry, those campaigns were terminated on 21 September 2017 – the very day we published our research.
On 8 October 2017, the same campaign resurfaced in one of those two countries, using the same (and very uncommon) structure of HTTP redirects to achieve “on-the-fly” browser redirection, only this time distributing Win32/StrongPity2 instead of FinFisher. We analyzed the new spyware and immediately noticed several similarities to malware allegedly operated by the StrongPity group in the past.
The first similarity is the attack scenario – users trying to download a software installation package were being redirected to a fake website serving a trojanized version of the expected installation package. The StrongPity group was observed performing such watering hole attacks in the summer of 2016, targeting mostly Italian and Belgian users of encryption software.
During our research, we found several different software packages trojanized with Win32/StrongPity2:
- CCleaner v 5.34
- Driver Booster
- The Opera Browser
- The VLC Media Player v2.2.6 (32bit)
- WinRAR 5.50
Since the beginning of the campaign, our systems have recorded more than one hundred detections of this malware.
We found a number of other similarities between StrongPity-operated malware, and the way in which Win32/StrongPity2 is implemented:
- Some parts of the code are exactly the same
- The (not exactly common) structures of their configuration files share some notable similarities, as shown in Figure 1:
- Both use the same obfuscation algorithm (a very uncommon Byte ^= ((Byte & 0xF0) >> 4)
- Both use the same (quite old) libcurl version 7.45
- Both exfiltrate files in the same way (the main payload handles exfiltration of files previously collected and saved by a dedicated module)
Speaking of stealing data, Win32/StrongPity2 has several file types with the following extensions in its crosshairs:
While searching for these files, it avoids the following folders:
- %Program Files%
- %Program Files (x86)%
In addition to data exfiltration, Win32/StrongPity2 is able to download and execute virtually any other (malicious) software of the attacker’s choice, with the privileges held by the compromised account.
How to check your system for compromise, how to clean it and how to stay protected
To determine whether a system is infected with Win32/StrongPity2, the system can be scanned using the free ESET Online Scanner. If Win32/StrongPity2 is detected this tool is able to remove it.
It is also possible to check the system manually by verifying the existence of the folder
%temp%\lang_be29c9f3-83we, which the malware creates to stores its components, with the file wmpsvn32.exe being the main one. Another easy-to-check indicator of compromise is the presence of Registry string value located in the path HKCU\Software\Microsoft\Windows\CurrentVersion\Run, named Help Manager with the string
%temp%\lang_be29c9f3-83we\wmpsvn32.exe in its data field:
Manual clean-up of an infected system includes the following steps:
- Killing the main component’s process, wmpsvn32.exe
- Deleting the folder %temp%\lang_be29c9f3-83we and all its contents
- Deleting the ‘Help Manager’ value in the above-mentioned Registry entry
It is important to note that for real-time, continuous protection we recommend using a reputable multi-layered internet security suite.
Special thanks to Ivan Besina for his help with the research for this article.
|Hashes of analyzed samples:|
|Domain serving the software packages trojanized by Win32/StrongPity2|
|URLs used to exfiltrate stolen data|
|Folder created by the malware to store its components|