StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?

Share this…

Continuing our research into FinFisher – the infamous spyware known also as FinSpy and sold to governments and their agencies worldwide – we noticed that the FinFisher malware in our previously-documented campaign, which had strong indicators of internet service provider (ISP) involvement, had been replaced by different spyware. Detected by ESET as Win32/StrongPity2, this spyware notably resembles one that was attributed to the group called StrongPity. As well as detecting and blocking this threat, all ESET products – including the free ESET Online Scanner – thoroughly clean systems compromised by StrongPity2.

As we reported in September, in campaigns we detected in two different countries, Man-in-the-Middle (MitM) attacks had been used to spread FinFisher, with the “man” in both cases most likely operating at the ISP level. According to our telemetry, those campaigns were terminated on 21 September 2017 – the very day we published our research.

On 8 October 2017, the same campaign resurfaced in one of those two countries, using the same (and very uncommon) structure of HTTP redirects to achieve “on-the-fly” browser redirection, only this time distributing Win32/StrongPity2 instead of FinFisher. We analyzed the new spyware and immediately noticed several similarities to malware allegedly operated by the StrongPity group in the past.

The first similarity is the attack scenario – users trying to download a software installation package were being redirected to a fake website serving a trojanized version of the expected installation package. The StrongPity group was observed performing such watering hole attacks in the summer of 2016, targeting mostly Italian and Belgian users of encryption software.

During our research, we found several different software packages trojanized with Win32/StrongPity2:

  • CCleaner v 5.34
  • Driver Booster
  • The Opera Browser
  • Skype
  • The VLC Media Player v2.2.6 (32bit)
  • WinRAR 5.50

Since the beginning of the campaign, our systems have recorded more than one hundred detections of this malware.

We found a number of other similarities between StrongPity-operated malware, and the way in which Win32/StrongPity2 is implemented:

  • Some parts of the code are exactly the same
  • The (not exactly common) structures of their configuration files share some notable similarities, as shown in Figure 1:

Figure 1: Configuration file samples (top: StrongPity, bottom: StrongPity2)

  • Both use the same obfuscation algorithm (a very uncommon Byte ^= ((Byte & 0xF0) >> 4)
  • Both use the same (quite old) libcurl version 7.45
  • Both exfiltrate files in the same way (the main payload handles exfiltration of files previously collected and saved by a dedicated module)

Speaking of stealing data, Win32/StrongPity2 has several file types with the following extensions in its crosshairs:

  • .ppt
  • .pptx
  • .xls
  • .xlsx
  • .txt
  • .doc
  • .docx
  • .pdf
  • .rtf

While searching for these files, it avoids the following folders:

  • %Windows%
  • %Windows.old%
  • %AppData%
  • %Program Files%
  • %Program Files (x86)%
  • %ProgramData%

In addition to data exfiltration, Win32/StrongPity2 is able to download and execute virtually any other (malicious) software of the attacker’s choice, with the privileges held by the compromised account.

How to check your system for compromise, how to clean it and how to stay protected

To determine whether a system is infected with Win32/StrongPity2, the system can be scanned using the free ESET Online Scanner. If Win32/StrongPity2 is detected this tool is able to remove it.

It is also possible to check the system manually by verifying the existence of the folder
%temp%\lang_be29c9f3-83we, which the malware creates to stores its components, with the file wmpsvn32.exe being the main one. Another easy-to-check indicator of compromise is the presence of Registry string value located in the pathHKCU\Software\Microsoft\Windows\CurrentVersion\Run, named Help Manager with the string
%temp%\lang_be29c9f3-83we\wmpsvn32.exe in its data field:


Figure 2: Registry entry used by the malware to gain persistence

Manual clean-up of an infected system includes the following steps:

  1. Killing the main component’s process, wmpsvn32.exe
  2. Deleting the folder %temp%\lang_be29c9f3-83we and all its contents
  3. Deleting the ‘Help Manager’ value in the above-mentioned Registry entry

It is important to note that for real-time, continuous protection we recommend using a reputable multi-layered internet security suite.