[MART] - Daily Diary #309 - StrongPity APT Group Launches Android Threat

CTAS-MAT ctas-mat at appgate.com
Wed Jul 21 23:59:48 UTC 2021


Hello,
I hope everyone is doing well!

Below is the entry for today.

07/21/2021 - Diary entry #309

StrongPity (a.k.a. PROMETHEUM) is an Advanced Persistent Threat Group that's been active since 2012. StrongPity is known to use watering-hole attacks to infect their victims with a Windows modular threat. This week, however, a new Android threat was disclosed after being posted on the Syrian e-Gov website, and its believed StrongPity is behind it.

This sample is a malicious modified version of the Syrian government android application. The sample created in May 2021 was distributed through a watering-hole attack by compromising the official Syrian website and replacing its official android application by the malicious version. The malware sample is signed with a different certificate of the official app and was built by "repackaging the original app".

The malicious version has additional classes which are not in the official samples. It has a highly modular structure of components which can run background tasks, enabling its malicious functionalities through message handlers. Among the malware capabilities we can highlight: retrieving and deploying encrypted payloads from the C2 server, listing the device contacts and exfiltrate files.

We would like to reinforce to never trust an application downloaded from external sources. Apps downloaded from Google PlayStore and other trusted stores are required to keep the same certificate in the signature, making it harder for an attacker to upload a tampered version of a trusted app.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210721/e68bbf16/attachment.html>


More information about the MART mailing list