StrongPity modifies the following registry key in order to run the module nvvscv.exe at startup:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[Nvdia] = %userprofile%\AppData\Local\temp\sega\nvvscv.exe
Running of StrongPity
The module of StrongPity nvvscv.exe will automatically run at startup. This module is responsible of loading the libraries:
- Prst.dll (keylogger)
- wrlck.dll (module of comunication of C&C)
Both Prst.dll and wrlck.dll export a unique function called: start_thread
The module nvvscv.exe creates 2 threads, where it is passed as parameter the name of library to load (Prst.dll and wrlck.dll) , subsequently it will call the function: start_thread.
Keylogger module: prst.dll
The module prst.dll of StrongPity functions as a keylogger.
This DLL library only exports the function "start_thread" called by nvvscv.exe.
Initially it reads the "prst.cab" configuration file, whose contents are ciphered, as we can see in the following image:
The cipher algorithm is the following:
After the decryption, the following result is obtained:
The configuration file "prst.cab" saved inside WRar531it.exe, contains the following list of programs:
- putty.exe
- filezilla.exe
- winscp.exe
In other variants of StrongPity, we have found a configuration file "prst.cab" with the following programs:
- putty.exe (client SSH and Telnet)
- filezilla.exe (FTP)
- winscp.exe (FTP)
- mstsc.exe (remote desktop)
- mRemoteNG.exe (remote connections manager: RDP, VNC, ICA, etc.)
After it reads the file "prstind.bin", if it doesn't exist then it creates this file and initializes it with the value 0 (DWORD 64 bit), otherwise it reads the numerical value saved. The file "prstind.bin" is used only to save a counter.
The keylogger creates a timer that starts every 180 seconds and it's used to increment the counter saved in "prstind.bin".
To implement the functions of keylogger, the module "prst.dll" gets hooked to all keys (lower and upper case) with the RegistryHotKey API. When a key is pressed, the keylogger intercept it and determines the process name and the title of the window where the key was pressed.
If the process belongs to a program inside the "prst.cab" file, the keylogger saves the process name, the title of the window and the sequence of keys pressed in the file msattrib32_%s_k_%u.res
where:
- %s is a string that contains the serial number of volume of disk C:
- %u is a number (0, 1, 2, etc) of counter saved in prstind.bin
example: msattrib32_2564879395_k_0.res
As we can see from the list of programs inside in "prst.cab", StrongPity is interested in stealing the login credentials in order to connect to several services such as FTP, SSH, telnet, RDP, etc. This way StrongPity will have full access via ftp, telnet, remote desktops of servers and clients of victims, with the possibility of stealing every document.
C&C management module: wrlck.dll
The wrlck.dll module of StrongPity manages the communication with the C&C server.
This library only exports one function which is "start_thread" called by nvvscv.exe.
Initially it reads the ciphered "wrlck.cab" configuration file, as we can see:
Decrypting the file "wrlck.cab", we can obtain:
The configuration file "wrlck.cab" contains the following sites:
| https://myrappid[.]com/flappy/butterflys.php |
First C&C server |
| https://myrappid[.]com/flappy/turtles.php |
First C&C server |
| https://pinkturtle[.]me/flappy/butterflys.php |
Second C&C server |
| https://pinkturtle[.]me/flappy/turtles.php |
Second C&C server |
At end of the configuration file "wrlck.cab", we can find the code: "wnit".
Analysing several configuration files of Strongpity, taken from different release of WinRAR Italy, Belgium and from TrueCrypt software, this code could represent the campaign's ID:
| Software |
Code |
Note |
| WinRAR Italy |
wnit |
Italy |
| WinRAR Belgium |
winrarbe |
Belgium |
| TrueCrypt |
szlk02 |
Turkey (????) |
After reading from memory the contents of "wrlck.cab", StrongPity calls the ShGetSpecialFolder API to obtain the following paths:
- C:\Program Files
- C:\Program Files (x86)
It opens the file "
msattrib32_%s_i", if it doesn't exist then it reads the operating system's version to establish if the computer is either a
CLIENT or a
SERVER, consequently it creates the file "
msattrib32_%s_i" in order to save the value "CLIENT" or "SERVER" depending on the operating system's version.
The value %s in the filename "
msattrib32_%s_i" is made in this way: <code>_<
serial number of volume of disk C:>
example:
msattrib32_wnit_2564879395_i
From this point onwards it starts to enumerate the contents of following folder:
- C:\Program Files
- C:\Program Files (x86)
in order to identify the sub-folders (non recursive). The names of sub-folders of "C:\Program Files" and of "C:\Program Files (x86)" will be saved in the file "
msattrib32_%s_i" in encrypted form.
At this point StrongPity will create a new thread that will remain in wait state for a few seconds.
The main thread of StrongPity will cyclically connect to the C&C server.
StrongPity uses 2 servers of command & control, the first and the main one is
myrappid[.]com, in the case the connection failure it will try the
pinkturtle[.]me.
The first request is of type
post at page
https://myrappid[.]com/flappy/turtles.php, with the following request:
name=<code_serialnumbervolume>
example: name=wnit_2564879395
The reply of the server is saved in the file
tmp_cmd
The data received is structured in this way:
| Offset |
Field |
| 0x00 |
Filename |
| 0x10 |
??? |
| 0x20 |
Code DWORD |
| 0x24 |
Size of next field |
| 0x28 |
Data |
At this point it creates a new file, with the name taken from offset 0x00 "Filename" from the file
tmp_cmd and will save in it the data from the offset 0x28 of
tmp_cmd.
If the file created is
wndplyr.cab then it will run the file
wndplyr.exe and
nmds.exe, otherwise it will run only the file
nmds.exe.
Inside the folder "
sega" we didn't find the file
nmds.exe. This may be due to peculiar circumstances that we aren't able to reproduce, because the
StrongPity domains are offline.
Meanwhile the new thread created by StrongPity enumerates all files
msattrib32_* presents inside the folder "
sega".
In this way StrongPity seeks the followings file:
- msattrib32_%s_i
- msattrib32_%s_k_%u.res
In the
msattrib32_%s_i file, the list of programs installed in C:\Program Files and in C:\Program Files (x86) is saved. On the other hand, inside the
msattrib32_%s_k_%u.res files the sequences of keys pressed is saved
These file will be sent via a "post" request at server of comand & control: https://myrappid[.]com/flappy/butterflys.php.
If the submit fails then a second server will be contacted: https://pinkturtle[.]me/flappy/butterflys.php.
The page
turtles.php is used to receive comands from the C&C server, instead the page
butterflys.php is used to send stolen information.
Information about domains:
| Name |
IP |
Date of creation |
| myrappid[.]com |
109.236.92.237 |
Created on 2016-01-19 - Expires on 2017-01-19 - Updated on 2016-01-19 |
| pinkturtle[.]me |
109.236.92.237 |
Created on 2016-01-21 - Expires on 2017-01-21 - Updated on 2016-03-21 |
| ralrab[.]com |
139.59.15.88 |
Created on 2015-10-27 - Expires on 2017-10-27 - Updated on 2016-09-29 |
| mytoshba[.]com |
109.236.92.237 |
Created on 2016-01-19 - Expires on 2017-01-19 - Updated on 2016-01-19 |
DDoS module: wndplyr.exe
The module of StrongPity wndplyr.exe is developed to run DDoS attack towards a pre-established targets.
This malware is ran by the wrlck.dll library when it receives the command from the C&C server to create the file wndplyr.cab, which contains the information about the site to attack.
The file wndplyr.cab is ciphered and it's structured in this way:
<domain to attack><0x0a><page><0x0a><protocol><0x0a><code><0x0a>
For example if the value of protocol is 80, this means a http request.
At this point it runs a DDoS attack towards the page of chosen site for an undefined period of time:
Every 10 ms StrongPity runs a connection request to the chosen site (send/recv), in case of connection error, StrongPity waits 1 second before re-opening the socket and re-starting the attack.
Cyber attack hit the website of the Bar Association of Diyarbakir: diyarbakirbarosu.org.tr
The 25th May 2016 at 18:41 o'clock (italian time) the module of StrongPity wndplyr.exe launched a DDoS attack (HTTP flood) towards the website of the Bar Association of the city of Diyarbakir: diyarbakirbarosu.org.tr
The 25th May 2016 the module wrlck.dll received the command of creating the following file wndplyr.cab:
Decrypting the file wndplyr.cab:
Domain to attack: diyarbakirbarosu.org.tr
Webpage: filemanager/BAROBLTENZELSAYI.pdf
Protocol: 80
The 25th May 2016 StrongPity has ran a DDoS attack (HTTP flood) towards: http://diyarbakirbarosu.org.tr/filemanager/BAROBLTENZELSAYI.pdf
The filename "BAROBLTENZELSAYI.pdf" should mean "BARO BÜLTEN ÖZEL SAYI" in Turkish and translated into english is more or less equivalent to: "LAWYERS NEWSLETTER SPECIAL EDITION".
The contents of the "BAROBLTENZELSAYI.pdf" document are unknown and trying to download it the following access denied error at file is obtained:
The search with Google of the "BAROBLTENZELSAYI.pdf" or "BAROBLTENZELSAYI" terms didn't obtain any results. This may be due to the fact that the document is not indexed, but the author of StrongPity is aware of the existence of such files.
Why does StrongPity try to sabotage the site of the Bar Association of Diyarbakir ?
Before answering this question we need to understand what the Bar Association of Diyarbakir is and who was the Kurdish Tahir Elçi human rights activist lawyer.
Diyarbakir Bar Association (diyarbakirbarosu.org.tr) is an organization which works for human rights and for the state of rights in Turkey.
The former chairman of Diyarbakir Bar Association, the Kurdish lawyer Tahir Elçi, was killed in the Sur district of Diyarbakir in Turkey on 28th November 2015. He was shot once in the head while giving a press statement at the "Four-legged Minaret" of Sheikh Matar Mosque.
.
The news of the murder of the Kurdish lawyer was taken up by the major Italian and international newspapers:
The Kurdish lawyer Tahir Elçi was arrested on 20th of October 2015 for allegedelly saying on CNN Turk that the PKK was not a terrorist organisation. After his arrest and interrogation, the prosecutor requested the court to impose pre-trial detention. The court ordered Mr. Elçi’s release.
Every 10 ms StrongPity runs a connection request to the chosen site (send/recv), in case of connection error, StrongPity waits 1 second before re-opening the socket and re-starting the attack.
Others Cyber attack by StrongPity
The 1st September 2016 at 15:05 o'clock (italian time) the module of StrongPity wndplyr.exe launched a DDoS attack (HTTP flood) towards the IP address 95.85.30.15 on the page "xsyndll".
StrongPity in TrueCrypt
After having analysed StrongPity inside of WinRAR, we will now analyse the version "altered" of TrueCrypt spread in Turkey.
Name of file: TrueCrypt-7.2.exe
Size: 5530624 byte
MD5: 563C9FACE8A03F1EE91E78CC0F913410
This file has been seen the first time on VirusTotal: 2016-10-10 18:02:31 UTC
Inside the file TrueCrypt-7.2.exe we find the following resources:
The resources inside the HTML folder are the following files:
- 103: procexp.exe (size 4.535.808 byte)
- 105: StrongPity module xsyn.dl
- 106: StrongPity configuration file xsyn.cab
- 107: StrongPity module xykl.dll
- 108: StrongPity configuration file prst.cab
- 109: StrongPity module nvvscv.exe
- 110: StrongPity module wndplyr.exe
In the StrongPity version of WinRAR, the resource 103 contained the original setup of WinRAR. In the "altered" version of TrueCrypt-7.2.exe, the resource 103 contains another "altered" setup of TrueCrypt.
Resources inside the file procexp.exe (resource HTML->103 of TrueCrypt-7.2.exe):
Here we find 5 resources encrypted inside the HTML folder:
- 814: Truvasys module dcomx32.exe
- 816: Truvasys module winxsys.exe
- 817: original setup of TrueCrypt
- 823: Truvasys module resdllx.dll
- 824: Truvasys configuration file syswindxr32.dll
The original setup of TrueCrypt is inside the resource HTML 817.
The other resources 814, 816, 823 e 824 contain the malware: Truvasys.
Scheme of StrongPity and TruvaSys inside the "altered" file TrueCrypt:
Brief description of StrongPity inside in TrueCrypt:
- nvvscv.exe: main module that loads the DLLs xsyn.dll and xykl.dll
- xsyn.dll: command & control server module
- xykl.dll: keylogger module
- xsyn.cab: connection configuration file used to connect to the C&C server
- prst.cab: keylogger configuration file
- wndplyr.exe: DDoS module
- jhisrvc32_%s_i: file where the list of programs of C:\Program Files and C:\Program Files (x86) is saved
- jhisrvc32_%s_k_%u_i.res: file where the pressed keys are saved
- tmp_cmd: file for receiving the commands of the C&C server
- PrstInd.bin: counter file
StrongPity modifies the following registry key in order to run the module nvvscv.exe at startup:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[EAGames] = %userprofile%\AppData\Local\temp\eagames\nvvscv.exe
In this version of StrongPity, the configuration file prst.cab is only 2 byte in lenght, it doesn't contain any process list checked by the keyologger module. The keylogger module will intercept any key pressed in any window of each program where we are working.
The file xsyn.cab contains the same addresses of the C&C server previously seen in the WinRAR version:
- https://www.myrappid[.]com
- https://www.pinkturtle[.]me
The code inside of file xsyn.cab is szlk02.
Differences among StrongPity of WinRAR and TrueCrypt:
| Field |
WinRAR |
TrueCrypt |
| Directory |
sega |
eagames |
| Registry |
Nvdia |
EAGames |
| Main module |
nvvscv.exe |
nvvscv.exe |
| Keylogger |
Prst.dll |
xykl.dll |
| Conf. file keylogger |
prst.cab |
prst.cab |
| C&C Module |
wrlck.dll |
xsyn.dll |
| Conf. file C&C |
wrlck.cab |
xsyn.cab |
| DDoS Module |
wndplyr.exe |
wndplyr.exe |
| Conf. file DDoS |
wndplyr.cab |
qwqw.cab |
| File temp cmd |
tmp_cmd |
tmp_cmd |
| Keylogger file saved |
msattrib32_%s_k_%u.res |
jhisrvc32_%s_k_%u_i.res |
| Programs file saved |
msattrib32_%s_i |
jhisrvc32_%s_i |
| Counter file |
PrstInd.bin |
PrstInd.bin |
| Domains |
https://www.myrappid[.]com
https://www.pinkturtle[.]me
|
https://www.myrappid[.]com
https://www.pinkturtle[.]me
|
The DDoS module wndplyr.exe of StrongPity (vers. TrueCrypt) uses as configuration file qwqw.cab. Compared to the version found in WinRAR, the DDoS module only runs "send" requests with a 1 ms pause. We don't have the qwqw.cab configuration file, so it isn't possible to provide further information.
TruvaSys in TrueCrypt
Now we will analyse the TruvaSys malware inside the "altered" TrueCrypt-7.2.exe file.
The execution of the "altered" TrueCrypt-7.2.exe file, will run from %temp% folder the file "procexp.exe". The file "procexp.exe" is an "altered" version of TrueCrypt, which will infect the computer with TruvaSys.
Name: procexp.exe
Size: 4535808 byte
MD5: C43ACCF1C69C3020583AA587924AC9A5
This file has been seen the first time on VirusTotal: 2015-12-09 12:51:16 UTC
TruvaSys installs the followings file:
- %system32%\dcomx32.exe
- %system32%\resdllx.dll
- %system32%\syswindxr32.dll
- %system32%\winxsys.exe
- %temp%\Microsoft\IKE\fprot32.exe
- %temp%\resplgdll32\fprot32.exe
- %temp%\resplgdll32\vId.bin
Name: dcomx32.exe
Size: 171.832 byte
MD5: C2D1047CB273F9CDB3704C1AF9CCC2C6
This file has been seen the first time on VirusTotal: 2015-10-27 18:19:25 UTC
Name: resdllx.dll
Size: 729.587 byte
MD5: 5F69F01D7819A4DA35B0FDABABA49AA0
Name: syswindxr32.dll
Size: 49 byte
MD5: 3DFF9D2AE5046E106EE6E9CF95B47931
Name: winxsys.exe
Size: 848.896 byte
MD5: F00F547501DBD6ABC01DFCD8CDC8378F
This file has been seen the first time on VirusTotal: 2015-11-26 14:27:43 UTC
Name: fprot32.exe
Size: 91.960 byte
MD5: 22ED9FD371A1AE4B16C773895B0A6E6A
This file has been seen the first time on VirusTotal: 2015-10-27 18:19:27 UTC
Name: vId.bin
Size: 4 byte
MD5: 0F3D014EEAD934BBDBACB62A01DC4831
The file resdllx.dll is a zip archive, which inside contains the following files:
- fprot32.exe
- libeay32.dll (library of OpenSSL)
- ssleay32.dll (library of OpenSSL)
TruvaSys installs the following service:
Name of Service: Windows Index Services
Path of service: c:\windows\system32\dcomx32.exe
The service dcomx32.exe runs the file winxsys.exe via the CreateProcessAsUser API.
The file winxsys.exe is the main module of TruvaSys ans it is written in Delphi.
The file syswindxr32.dll contains the list of C&C servers:
- www.truecrypte[.]org
- www.true-crypte[.]website
The file fprot32.exe is ran from winxsys.exe with some parameters for the sockets creation of type: SOCK_STREAM (protocol IPPROTO_TCP), SOCK_DGRAM (IPPROTO_UDP) and SOCK_RAW (IPPROTO_ICMP).
At the moment the servers of command & control are offline, so it isn't possible to make a deep analysis of TruvaSys.
Information about domains:
| Name |
IP |
Date of creation |
| www.truecrypte[.]org |
98.124.243.37 |
Created on 2015-11-17 - Expires on 2017-11-17 - Updated on 2016-12-02 |
| www.true-crypte[.]website |
198.54.117.212 |
Created on 2015-11-16 - Expires on 2016-11-16 - Updated on 2016-12-22 |
Conclusions
In these months we have analysed in full detail the evolution of
StrongPity, which spreads through the "altered" software of WinRAR and TrueCrypt.
We can state with accuracy that the software "WinRAR" and "TrueCrypt" are used as vector of infections and not as main targets. Additionally, the users of TrueCrypt may be hiding reserved or classified informations that cannot be disclosed.
StrongPity is a malware of espionage that can steal reserved informations, such as login credentials of servers or computers, via ftp softwares (filezilla,
winscp), client SSH (putty), remote desktop (
mstsc, mRemoteNG) and launch DDoS attacks.
StrongPity has become widespred in Italy, Belgium and Turkey. From our analysis it is clear that the authors of
StrongPity project could be Turkish, most likely close to the current political regime.
On the 25
th of May 2016 at 18:41 o'clock (italian time) we have discovered a DDoS attack on the
DiyarbakirBar Association website, whose chairman previously was the Kurdish lawyer
Tahir Elçi, a human rights activist. He was assassinated on 28
th of November 2015 in unclear circumstances. The Kurdish lawyer
Tahir Elçi, a few weeks before the killing, had stated in a TV program of CNN Turk, that the PKK was not a terrorist organisation, therefore Mr. Elçi was seen as an "incovenient" person by the turkish regime.
Why attack Italy ?
It's very difficult to reply to this question, we don't have the reliable elements that allow us to provide an answer. However, it is possible to venture the hypothesis of a possible connection Turkey-Italy, related to the investigation of the case that involves the son of Prime Minister Erdogan turkish for money laundering in February 2016 conducted by the prosecutor of Bologna. This investigation is still ongoing.
Connected to
StrongPity, it has been found inside of the "altered" software TrueCrypt another malware dubbed:
TruvaSys.
From our checks,
TruvaSys may have been developed before
StrongPity. Indeed some modules of
TruvaSys, as
dcomx32.exe, were seen the first time on the 27
th October 2015 on VirusTotal, instead the modules of
StrongPity were detected for the first time only in May 2016.
TruvaSys was most likely made before
StrongPity, an evidence for this are the dates of registration of the C&C servers domains that enforce this conclusion.
It is interesting to observe that the domain "
ralrab[.]com", used for the version of WinRAR Belgium, that was registered on 27 October 2015, therefore several months before the attack seen in May 2016.
The domains "
www.truecrypte[.]org" and "www.true-crypte[.]website" were registered on 16
th and 17
th of November 2015, 20 days before the first sighting of "
dcomx32.exe", so it's possible that there are previous versions of
TruvaSys.
There is a strong suspicion that the code was written by several people due to the fact the main module of
TruvaSys was written in
Delphi, instead the modules of
StrongPity were written in
C++ and it uses the
Curl library, therefore more people are working on this project of espionage.
In the report
Microsoft made, a further connection with another APT classified under the name
NEODYMIUM emerged. This APT, according to Microsoft, uses a backdoor component developed by the German company
FinFisher GmbH, known company that sells spyware exclusively to government agencies.
Indicators of Compromise (IOC)
Hashes
71BFE79ADBD00F6D0E928437198AFBCD
7A1D3F6A12D5D4F78D27F7CD255508DB
C566DBDB2C90D5B132188355BB93D700
4BB11AE6982BA3298DBC26928F5B2057
6D126DF4F6D79EEACAA7C5559734DB92
5A522E86AB335F5AB3ABD6EBFA4B5019
C0BA6CB9F4A85775D4D2960DE306ABBC
DE9AB74D4E9D9335319C2178CAEC9C72
04A74C08692CE312B8701B82B21E95B9
5A522E86AB335F5AB3ABD6EBFA4B5019
924D1B948B8163A0A7048CE5CCC2AE9F
D6CA4BBF35D62EA60663E62366849B4F
5B672219893F0B4CAC4F726559C122FB
563C9FACE8A03F1EE91E78CC0F913410
C2D1047CB273F9CDB3704C1AF9CCC2C6
5F69F01D7819A4DA35B0FDABABA49AA0
3DFF9D2AE5046E106EE6E9CF95B47931
F00F547501DBD6ABC01DFCD8CDC8378F
22ED9FD371A1AE4B16C773895B0A6E6A
0F3D014EEAD934BBDBACB62A01DC4831
D714E59CBDA0FD6FCCEA7510404BEEE1
Domain names
myrappid.com
pinkturtle.me
ralrab.com
mytoshba.com
www.truecrypte.org
www.true-crypte.website
diyarbakirbarosu.org.tr
IP Addresses
109.236.92.237
139.59.15.88
98.124.243.37
198.54.117.212
95.85.30.15
Author:
Gianfranco Tonello
StrongPity APT has spread through the WinRAR software distributed in Italy and Belgium, and through TrueCrypt software in Turkey.
