TG Soft Software House - Vir.IT eXplorer: AntiVirus, AntiSpyware and AntiMalware
Detects viruses and malwareIdentifies polymorphic viruses thanks to DEEP SCANMacro Virus AnalyzerINTRUSION DETECTION TechnologyVirus/malware removal toolsInstallation on Active Directory16/32/64 bit Real-Time ProtectionVir.IT Scan MailVir.IT Console Client/ServerVir.IT WebFilter ProtectionAutomatic Live-UpdateVir.IT Personal FirewallItalian Tech SupportAntiMalware Reserch Center


Submit suspicious file
fb rss linkedin twitter

ICSA Lab

Vir.IT eXplorer PRO pass the test VB100 2017-04

AMTSO

OpsWat

EICAR Membro SERIT - SEcurity Research in ITaly

23/12/2016 15:05:34 - In May 2016 StrongPity launched a DDoS attack on the website of  "Diyarbakir Bar Association", whose chairman the Kurdish lawyer Tahir Elci had been murdered on 28th Nov 2015 in Turkey.




During the summer of 2016 the StrongPity APT has spread through the WinRAR software distributed in Italy and Belgium, and through TrueCrypt software in Turkey.

StrongPity is an advanced persistent threat (APT), most probably of Turkish origins, able to steal the login credentials, track tasks and perform DDoS attacks.

StrongPity has been documented the first time by the researcher Kurt Baumgartener (@k_sec) of Kaspersky Lab at the "Virus Bulletin" conference in Denver on 6th of oct. 2016: "On the StrongPity waterhole attacks targeting Italian and Belgian encryption users".

CONTENTS

==> How StrongPity spreads
 
==> Running of StrongPity

==> Keylogger module: prst.dll

==> C&C management module: wrlck.dll

==> DDoS module: wndplyr.exe

==> Cyber attack hit the website of the Bar Association of Diyarbakir (Turkey)

==> StrongPity in TrueCrypt

==> TruvaSys in TrueCrypt

==>
Conclusions

Microsoft Corporation, in their SIR report "Microsoft Security Intelligence Report Volume 21" also stated that the PROMETHIUM APT (aka StrongPity) is connected to 2 other malware dubbed Truvasys and NEODYMIUM.

TG Soft's Research Centre (C.R.A.M.) has reputed to examine in depth the variant of StrongPity distribuited via WinRAR Italy.




How StrongPity spreads

StrongPity has spread in Italy and Belgium throughout the download of the original version of WinRAR. In Italy, as stated by the researcher Kurt Baumgartner, the site of italian distributor of  WinRAR has been compromised between the 24th May and the 1st June 2016, where the version downloaded of WinRAR was internally "altered" by the StrongPity malware.

In Belgium, the site of the WinRAR.BE  distributor was compromised redirecting all program downloads towards a fake site "ralrab[.]com" with versions infected by StrongPity.

Turkey instead was hit by the TrueCrypt program.

I would like thank the italian distributor of WinRAR for the collaboration,  which has provided us with 3 versions infected by  StrongPity:
  • WRar531it.exe (size: 2843648 byte - MD5: 71BFE79ADBD00F6D0E928437198AFBCD)
  • WinRAR-x64-531it.exe (size: 3031040 byte - MD5: 7A1D3F6A12D5D4F78D27F7CD255508DB)
  • WRar393it.exe (size: 2312704 byte - MD5: C566DBDB2C90D5B132188355BB93D700)



Regarding our analysis we have taken into consideration the file WRar531it.exe.
Prior of running
WRar531it.exe infected by  StrongPity, let's analyse the resources inside the file.

 
It is interesting to notice that inside the field "CompanyName" we can read the word: zorrokin.

This word "zorrokin" will be present in each file of WinRAR infected by StrongPity.

"Zorrokin" is a Turkish word that mean zorro.

Inside the resources of the file, we can find the HTML folder. This folder contains 7 resources enumerated as such: 103, 105, 106, 107, 108, 109, 110.
The following resources 103 (original setup of WinRAR), 105 (
wrlck.dll), 107 (prst.dll), 109 (nvvscv.exe), 110 (wndplyr.exe) all contain the executable file. Instead the n. 106 (wrlck.cab) and the n. 108 (prst.cab) contain the data file.

The modules of StrongPity are enclosed in the following resources: 105, 106, 107, 108, 109 e 110.



Scheme of
the "WRar531it.exe" package infected by StrongPity:




During the execution of the infected "
WRar531it.exe", the following files will be extracted inside the %temp% folder of the current user:
%userprofile%\AppData\Local\temp\procexp.exe
%userprofile%\AppData\Local\temp\sega\nvvscv.exe

%userprofile%\AppData\Local\temp\sega\prst.cab
%userprofile%\AppData\Local\temp\sega\Prst.dll
%userprofile%\AppData\Local\temp\sega\wndplyr.exe
%userprofile%\AppData\Local\temp\sega\wrlck.cab
%userprofile%\AppData\Local\temp\sega\wrlck.dll

The file
procexp.exe contains the original version of WinRAR, instead all other files are modules of StrongPity.
At this point the file procexp.exe for the installation of WinRAR and the file
nvvscv.exe of StrongPity will be executed.

It is interesting to notice the name "sega" of folder created by StrongPity, which is a reference to the japanese gaming and console company Sega Corporation.
In others variants of StrongPity, i.e. that of TrueCrypt, the folder created in %temp% is called  "eagames" which is a reference to "Electronic Arts Games", a company of videogames.

StrongPity modifies the following registry key in order to run the module
nvvscv.exe at startup:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[Nvdia] = %userprofile%\AppData\Local\temp\sega\nvvscv.exe






Running of StrongPity

The module of StrongPity nvvscv.exe will automatically run at startup. This module is responsible of loading the libraries:
  • Prst.dll (keylogger)
  • wrlck.dll (module of comunication of C&C)
Both Prst.dll and wrlck.dll export a unique function called: start_thread

The module
nvvscv.exe creates 2 threads, where it is passed as parameter the name of library to load (Prst.dll and wrlck.dll) , subsequently it will call the function: start_thread.






Keylogger module: prst.dll

The module prst.dll of StrongPity functions as a keylogger.
This DLL library only exports the function "start_thread" called by
nvvscv.exe.
Initially it reads the
"prst.cab" configuration file, whose contents are ciphered, as we can see in the following image:



The cipher algorithm is the following:


After the decryption
, the following result is obtained: 




The configuration file "prst.cab" saved inside
WRar531it.exe, contains the following list of programs:
  • putty.exe
  • filezilla.exe
  • winscp.exe
In other variants of StrongPity, we have found a configuration file "prst.cab" with the following programs
:
  • putty.exe (client SSH and Telnet)
  • filezilla.exe (FTP)
  • winscp.exe (FTP)
  • mstsc.exe (remote desktop)
  • mRemoteNG.exe (remote connections manager: RDP, VNC, ICA, etc.)

After it reads the file "prstind.bin", if it doesn't exist then it creates this file and initializes it with the value 0 (DWORD 64 bit), otherwise it reads the numerical value saved. The file "prstind.bin" is used only to save a counter.

The keylogger creates a timer that starts every 180 seconds and it's used to increment the counter saved in
"prstind.bin".

To implement the functions of keylogger, the module "prst.dll" gets hooked to all keys (lower and upper case) with the RegistryHotKey API. When a key is pressed, the keylogger intercept it and determines the process name and the title of the window where the key was pressed.

If the process belongs to a program inside the "prst.cab" file, the keylogger saves the process name, the title of the window and the sequence of keys pressed in the file msattrib32_%s_k_%u.res

where:
  • %s is a string that contains the serial number of volume of disk C:
  • %u is a number (0, 1, 2, etc) of counter saved in prstind.bin
example:
msattrib32_2564879395_k_0.res

As we can see from the list of programs inside in "prst.cab", StrongPity is interested in stealing  the login credentials in order to connect to several services such as FTP, SSH, telnet, RDP, etc. This way StrongPity will have full access via ftp, telnet, remote desktops of servers and clients of victims, with the possibility of stealing every document.

 



C&C management module: wrlck.dll

The wrlck.dll module of StrongPity manages the communication with the C&C server.
This library only exports one function which is "start_thread" called by
nvvscv.exe.
Initially it reads the ciphered
"wrlck.cab" configuration file, as we can see:


Decrypting the file "wrlck.cab", we can obtain:


The configuration file 
"wrlck.cab" contains the following sites:

https://myrappid[.]com/flappy/butterflys.php First C&C server
https://myrappid[.]com/flappy/turtles.php First C&C server
https://pinkturtle[.]me/flappy/butterflys.php Second C&C server
https://pinkturtle[.]me/flappy/turtles.php Second C&C server

At end of the configuration file "wrlck.cab", we can find the code: "wnit".
Analysing several configuration files of Strongpity, taken from different release of  WinRAR Italy, Belgium and from TrueCrypt software, this code could represent the campaign's ID:

Software Code Note
WinRAR Italy wnit Italy
WinRAR Belgium winrarbe Belgium
TrueCrypt szlk02 Turkey (????)


After reading from memory the contents of 
"wrlck.cab", StrongPity calls the ShGetSpecialFolder API to obtain the following paths:
  • C:\Program Files
  • C:\Program Files (x86)
It opens the file "msattrib32_%s_i", if it doesn't exist then it reads the operating system's version to establish if the computer is either a CLIENT or a SERVER, consequently it creates the file  "msattrib32_%s_i" in order to save the value "CLIENT" or "SERVER" depending on the operating system's version.

The value %s in the filename "msattrib32_%s_i" is made in this way: <code>_<serial number of volume of disk C:>
example: msattrib32_wnit_2564879395_i


From this point onwards it starts to enumerate the contents of following folder:
  • C:\Program Files
  • C:\Program Files (x86)
in order to identify the sub-folders  (non recursive). The names of sub-folders of "C:\Program Files" and of "C:\Program Files (x86)" will be saved in the file "msattrib32_%s_i" in encrypted form.

At this point StrongPity will create a new thread that will remain in wait state for a few seconds.
The main thread of StrongPity will cyclically connect to the C&C server.
StrongPity uses 2 servers of command & control, the first and the main one is myrappid[.]com, in the case the connection failure it will try the pinkturtle[.]me.

The first request is of type post at page https://myrappid[.]com/flappy/turtles.php, with the following request:
name=<code_serialnumbervolume>
example: name=wnit_2564879395

The reply of the server is saved in the file  tmp_cmd
The data received is structured in this way:
Offset Field
0x00 Filename
0x10 ???
0x20 Code DWORD
0x24 Size of next field
0x28 Data

At this point it creates a new file, with the name taken from offset 0x00 "Filename" from the file tmp_cmd and will save in it the data from  the offset 0x28 of tmp_cmd.
If the file created is wndplyr.cab then it will run the file wndplyr.exe and nmds.exe, otherwise it will run only the file nmds.exe.

Inside the folder "sega" we didn't find the file nmds.exe. This may be due to peculiar circumstances that we aren't able to reproduce, because the StrongPity domains are offline.

Meanwhile the new thread created by StrongPity enumerates all files msattrib32_* presents inside the folder "sega".
In this way StrongPity seeks the followings file:
  • msattrib32_%s_i
  • msattrib32_%s_k_%u.res
In the msattrib32_%s_i file, the list of programs installed in C:\Program Files and in C:\Program Files (x86) is saved. On the other hand, inside the msattrib32_%s_k_%u.res files the sequences of keys pressed is saved

These file will be sent via a "post" request at server of comand & control:
https://myrappid[.]com/flappy/butterflys.php.
If the submit fails then a second server will be contacted:
https://pinkturtle[.]me/flappy/butterflys.php.

The page turtles.php is used to receive comands from the C&C server, instead the page butterflys.php is used to send stolen information.

Information about domains:

Name IP Date of creation
myrappid[.]com 109.236.92.237 Created on 2016-01-19 - Expires on 2017-01-19 - Updated on 2016-01-19
pinkturtle[.]me 109.236.92.237 Created on 2016-01-21 - Expires on 2017-01-21 - Updated on 2016-03-21
ralrab[.]com 139.59.15.88 Created on 2015-10-27 - Expires on 2017-10-27 - Updated on 2016-09-29
mytoshba[.]com 109.236.92.237 Created on 2016-01-19 - Expires on 2017-01-19 - Updated on 2016-01-19








DDoS module: wndplyr.exe

The module of StrongPity wndplyr.exe is developed to run DDoS attack towards a pre-established targets.
This malware is ran by the
wrlck.dll library when it receives the command from the C&C server to create the file wndplyr.cab, which contains the information about the site to attack.

The file
wndplyr.cab is ciphered and it's structured in this way:
<domain to attack><0x0a><page><0x0a><protocol><0x0a><code><0x0a>

For example if the value of protocol is 80, this means a http request.

At this point it runs a DDoS attack towards the page of chosen site for an undefined period of time:

 



Every 10 ms StrongPity runs a connection request to the chosen site (send/recv), in case of connection error, StrongPity waits 1 second before re-opening the socket and re-starting the attack.







Cyber attack hit the website of the Bar Association of Diyarbakir: diyarbakirbarosu.org.tr

The 25th May 2016 at 18:41 o'clock (italian time) the module of StrongPity wndplyr.exe launched a DDoS attack (HTTP flood) towards the website of the Bar Association of the city of Diyarbakir: diyarbakirbarosu.org.tr

The 25th May 2016 the module
wrlck.dll received the command of creating the following file wndplyr.cab:



Decrypting the file wndplyr.cab:



Domain to attack: diyarbakirbarosu.org.tr
Webpage: filemanager/BAROBLTENZELSAYI.pdf
Protocol: 80

The 25th May 2016 StrongPity has ran a DDoS attack (HTTP flood) towards:
http://diyarbakirbarosu.org.tr/filemanager/BAROBLTENZELSAYI.pdf

The filename "BAROBLTENZELSAYI.pdf" should mean "BARO BÜLTEN ÖZEL SAYI"
in Turkish and translated into english is more or less equivalent to: "LAWYERS NEWSLETTER SPECIAL EDITION".

The contents of the
"BAROBLTENZELSAYI.pdf" document are unknown and trying to download it the following access denied error at file is obtained:



The search with Google of the "
BAROBLTENZELSAYI.pdf" or "BAROBLTENZELSAYI" terms didn't obtain any results. This may be due to the fact that the document is not indexed, but the author of StrongPity is aware of the existence of such files.

Why does StrongPity try to sabotage the site of the Bar Association of Diyarbakir ?

Before answering this question we need to understand what the Bar Association of
Diyarbakir is and who was the Kurdish Tahir Elçi human rights activist lawyer.

Diyarbakir Bar Association (
diyarbakirbarosu.org.tr)  is an organization which works for human rights and for the state of rights in Turkey.

The former chairman of
Diyarbakir Bar Association, the Kurdish lawyer Tahir Elçi, was killed in the Sur district of Diyarbakir in Turkey on 28th November 2015.  He was shot once in the head while giving a press statement at the "Four-legged Minaret" of Sheikh Matar Mosque.
.



The news of the murder of the Kurdish lawyer was taken up by the major Italian and international newspapers:

BBC Pro-Kurdish lawyer Tahir Elci shot dead in Turkey
TIME The Killing of a Kurdish Lawyer Means Dark Days for Turkey
Al Jazeera Prominent pro-Kurdish lawyer shot dead in Turkey
   
La Repubblica Turchia, ucciso il capo degli avvocati curdi. Erdogan: "Giusta nostra guerra al terrorismo"
LA STAMPA Ucciso il leader degli avvocati curdi Esplode la rabbia, scontri a Istanbul
L'Huffington Post Ucciso Tahir Elci, capo degli avvocati curdi di Diyarbakir in Turchia. Erdogan attacca il PKK, scontri a Istanbul
TGCOM24 Turchia, ucciso leader degli avvocati curdi Istanbul, scontri tra manifestanti e polizia
Rai News Turchia, ucciso noto avvocato curdo. Diceva "Pkk non è gruppo terroristico"
Unione delle Camere Penali L'Avvocato Tahir Elci ucciso mentre difendeva i diritti civili e politici e la libertà di espressione, e quindi la democrazia

The Kurdish lawyer
Tahir Elçi was arrested on 20th of October 2015 for allegedelly saying on CNN Turk that the PKK was not a terrorist organisation. After his arrest and interrogation, the prosecutor requested the court to impose pre-trial detention. The court ordered Mr. Elçi’s release.







StrongPity in TrueCrypt

After having analysed StrongPity inside of WinRAR, we will now analyse the version "altered" of TrueCrypt spread in Turkey.

Name of file: TrueCrypt-7.2.exe
Size: 5530624 byte
MD5: 563C9FACE8A03F1EE91E78CC0F913410

This file has been seen the first time on VirusTotal:
2016-10-10 18:02:31 UTC

Inside the file
TrueCrypt-7.2.exe we find the following resources:



The resources inside the HTML folder are the following files:
  • 103: procexp.exe (size 4.535.808 byte)
  • 105: StrongPity module xsyn.dl
  • 106: StrongPity configuration file xsyn.cab
  • 107: StrongPity module xykl.dll
  • 108: StrongPity configuration file prst.cab
  • 109: StrongPity module nvvscv.exe
  • 110: StrongPity module wndplyr.exe
In the StrongPity version of WinRAR, the resource 103 contained the original setup of WinRAR. In the "altered" version of
TrueCrypt-7.2.exe, the resource 103 contains another "altered" setup of TrueCrypt.

Resources inside the file procexp.exe (resource HTML->103 of
TrueCrypt-7.2.exe):



Here we find 5 resources encrypted inside the HTML folder:
  • 814: Truvasys module dcomx32.exe
  • 816: Truvasys module winxsys.exe
  • 817: original setup of TrueCrypt
  • 823: Truvasys module resdllx.dll
  • 824: Truvasys configuration file syswindxr32.dll
The original setup of TrueCrypt is inside the resource HTML 817.
The other resources 814, 816, 823 e 824 contain the malware: Truvasys.


Scheme of StrongPity and TruvaSys inside the "altered" file TrueCrypt:
 




Brief description of StrongPity inside in TrueCrypt:
  • nvvscv.exe: main module that loads the DLLs xsyn.dll and xykl.dll
  • xsyn.dll: command & control server module
  • xykl.dll: keylogger module
  • xsyn.cab: connection configuration file used to connect to the C&C server
  • prst.cab: keylogger configuration file
  • wndplyr.exe: DDoS module
  • jhisrvc32_%s_i: file where the list of programs of C:\Program Files and C:\Program Files (x86) is saved
  • jhisrvc32_%s_k_%u_i.res: file where the pressed keys are saved
  • tmp_cmd: file for receiving the commands of the C&C server
  • PrstInd.bin: counter file
StrongPity modifies the following registry key in order to run the module nvvscv.exe at startup:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[EAGames] = %userprofile%\AppData\Local\temp\eagames\nvvscv.exe


In this version of StrongPity, the configuration file prst.cab is only 2 byte in lenght, it doesn't contain any process list checked by the keyologger module. The keylogger module will intercept any key pressed in any window of each program where we are working.

The file xsyn.cab contains the same addresses of the C&C server previously seen in the WinRAR version:
  • https://www.myrappid[.]com
  • https://www.pinkturtle[.]me
The code inside of file
xsyn.cab is szlk02.


Differences among StrongPity of WinRAR and TrueCrypt:

Field WinRAR TrueCrypt
Directory sega eagames
Registry Nvdia EAGames
Main module nvvscv.exe nvvscv.exe
Keylogger Prst.dll xykl.dll
Conf. file keylogger prst.cab prst.cab
C&C Module wrlck.dll xsyn.dll
Conf. file C&C wrlck.cab xsyn.cab
DDoS Module wndplyr.exe wndplyr.exe
Conf. file DDoS wndplyr.cab qwqw.cab
File temp cmd tmp_cmd tmp_cmd
Keylogger file saved msattrib32_%s_k_%u.res jhisrvc32_%s_k_%u_i.res
Programs file saved msattrib32_%s_i jhisrvc32_%s_i
Counter file PrstInd.bin PrstInd.bin
Domains
https://www.myrappid[.]com
https://www.pinkturtle[.]me
https://www.myrappid[.]com
https://www.pinkturtle[.]me



The DDoS module
wndplyr.exe of StrongPity (vers. TrueCrypt) uses as configuration file qwqw.cab. Compared to the version found in WinRAR, the DDoS module only runs "send" requests with a 1 ms pause. We don't have the qwqw.cab configuration file, so it isn't possible to provide further information.







TruvaSys in TrueCrypt

Now we will analyse the TruvaSys malware inside the "altered" TrueCrypt-7.2.exe file.
The execution of the "altered"
TrueCrypt-7.2.exe file, will run from %temp% folder the file "procexp.exe". The file "procexp.exe" is an "altered" version of TrueCrypt, which will infect the computer with TruvaSys.

Name: procexp.exe
Size: 4535808 byte
MD5: C43ACCF1C69C3020583AA587924AC9A5

This file has been seen the first time on VirusTotal: 2015-12-09 12:51:16 UTC

TruvaSys installs the followings file:
  • %system32%\dcomx32.exe
  • %system32%\resdllx.dll
  • %system32%\syswindxr32.dll
  • %system32%\winxsys.exe
  • %temp%\Microsoft\IKE\fprot32.exe
  • %temp%\resplgdll32\fprot32.exe
  • %temp%\resplgdll32\vId.bin
Name:
dcomx32.exe
Size: 171.832 byte
MD5: C2D1047CB273F9CDB3704C1AF9CCC2C6
This file has been seen the first time on VirusTotal: 2015-10-27 18:19:25 UTC

Name: resdllx.dll
Size: 729.587 byte
MD5: 5F69F01D7819A4DA35B0FDABABA49AA0

Name: syswindxr32.dll
Size: 49 byte
MD5: 3DFF9D2AE5046E106EE6E9CF95B47931

Name: winxsys.exe
Size: 848.896 byte
MD5: F00F547501DBD6ABC01DFCD8CDC8378F
This file has been seen the first time on VirusTotal: 2015-11-26 14:27:43 UTC

Name: fprot32.exe
Size: 91.960 byte
MD5: 22ED9FD371A1AE4B16C773895B0A6E6A
This file has been seen the first time on VirusTotal: 2015-10-27 18:19:27 UTC

Name: vId.bin
Size: 4 byte
MD5: 0F3D014EEAD934BBDBACB62A01DC4831


The file
resdllx.dll is a zip archive, which inside contains the following files:
  • fprot32.exe
  • libeay32.dll  (library of OpenSSL)
  • ssleay32.dll (library of OpenSSL)

TruvaSys installs the following service:
Name of Service: Windows Index Services
Path of service: c:\windows\system32\dcomx32.exe

The service dcomx32.exe runs the file
winxsys.exe via the CreateProcessAsUser API.
The file
winxsys.exe  is the main module of TruvaSys ans it is written in Delphi.
The file
syswindxr32.dll contains the list of C&C servers:
  • www.truecrypte[.]org
  • www.true-crypte[.]website
The file
fprot32.exe is ran from winxsys.exe with some parameters for the sockets creation of type: SOCK_STREAM (protocol IPPROTO_TCP), SOCK_DGRAM (IPPROTO_UDP) and SOCK_RAW (IPPROTO_ICMP).
At the moment the servers of command & control are offline, so it isn't possible to make a deep analysis of TruvaSys.

Information about domains:
Name IP Date of creation
www.truecrypte[.]org 98.124.243.37 Created on 2015-11-17 - Expires on 2017-11-17 - Updated on 2016-12-02
www.true-crypte[.]website 198.54.117.212 Created on 2015-11-16 - Expires on 2016-11-16 - Updated on 2016-12-22
 
 
 

 


Conclusions

In these months we have analysed in full detail the evolution of StrongPity, which spreads through  the "altered" software of WinRAR and TrueCrypt.
We can state with accuracy that the software "WinRAR" and "TrueCrypt" are used as vector of infections and not as main targets. Additionally, the users of TrueCrypt may be hiding reserved or classified informations that cannot be disclosed.

StrongPity is a malware of espionage that can steal reserved informations, such as login credentials of servers or computers, via ftp softwares (filezilla, winscp), client SSH (putty), remote desktop (mstsc, mRemoteNG) and launch DDoS attacks.

StrongPity has become widespred in Italy, Belgium and Turkey. From our analysis it is clear that the authors of StrongPity project could be Turkish, most likely close to the current political regime.

On the 25th of May 2016 at 18:41 o'clock (italian time) we have discovered a DDoS attack on the DiyarbakirBar Association website, whose chairman previously was the Kurdish lawyer Tahir Elçi, a human rights activist. He was assassinated on 28th of November 2015 in unclear circumstances. The Kurdish lawyer Tahir Elçi, a few weeks before the killing, had stated in a TV program of CNN Turk, that the PKK was not a terrorist organisation, therefore Mr. Elçi  was seen as an "incovenient" person by the turkish regime.

Why attack Italy ?
It's very difficult to reply to this question,  we don't have the reliable elements that allow us to provide an answer. However, it is possible to venture the hypothesis of a possible connection Turkey-Italy, related to the investigation of the case that involves the son of Prime Minister Erdogan turkish for money laundering in February 2016 conducted by the prosecutor of Bologna. This investigation is still ongoing.

Connected to StrongPity, it has been found inside of the "altered" software TrueCrypt another malware dubbed:  TruvaSys.
From our checks, TruvaSys may have been developed before StrongPity. Indeed some modules of TruvaSys, as dcomx32.exe, were seen the first time on the  27th October 2015 on VirusTotal, instead the modules of StrongPity were detected for the first time only in May 2016.
TruvaSys was most likely made before StrongPity, an evidence for this are the dates of registration of the C&C servers domains that enforce this conclusion.

It is interesting to observe that the domain "ralrab[.]com", used for the version of WinRAR Belgium, that was registered on 27 October 2015, therefore several months before the attack seen in May 2016.
The domains "www.truecrypte[.]org" and "www.true-crypte[.]website" were registered on 16th and 17th of November 2015, 20 days before the first sighting of "dcomx32.exe", so it's possible that there are previous versions of TruvaSys.

There is a strong suspicion that the code was written by several people due to the fact the main module of TruvaSys was written in Delphi, instead the modules of StrongPity were written in C++ and it uses the Curl library, therefore more people are working on this project of espionage.

In the report Microsoft made, a further connection with another APT classified under the name NEODYMIUM emerged. This APT, according to Microsoft, uses a backdoor component developed by the German company FinFisher GmbH, known company that sells spyware exclusively to government agencies.


Author: Gianfranco Tonello
TG Soft's Research Centre (C.R.A.M.)

Back on top





Any information published on our website can be used and posted on other websites, blogs, forums, facebook and/or in any other form both on paper and electronically so long as you always cited source explicitly "Fonte: C.R.A.M. by TG Soft www.tgsoft.it"
fb rss linkedin twitter
 




Legal & Eula | Privacy | Uninstall

TG Soft S.a.s. - via Pitagora 11/B, 35030 Rubàno (PD), ITALY - C.F. e P.IVA 03296130283