The cyber-gang behind the now defunct FinFisher man–in-the-middle attacks has switched over to using a new spyware dubbed StrongPity2 and is now using several popular websites to conduct watering hole attacks to help install this malware.
ESET researcher Tomas Kafka reported StongPity2, which is named after the group StrongPity, took over from FinFisher, shortly after that malware disappeared from the scene in September. StongPity2 appeared one month later using many of the same techniques as FinFisher. FinFisher is a nation-state level tool that has extensive spying capabilities, including live surveillance, keylogging, and exfiltration of files. ESET has noted that it is marketed as a law enforcement tool and is believed to have been used also by oppressive regimes.
There are numerous similarities between StrongPity2 and FinFisher.
ESET noted that not only were parts of the code exactly the same, the structures of their configuration files share some notable similarities, both use the same obfuscation algorithm and both exfiltrate files in the same way.
Finally, the attack itself is conducted in the same manner.
The people behind the attacks go after individuals with what Kafka described as “on the fly” browser redirections to set up a man-in-the-middle attack. With FinFisher it was suspected the “man” in the middle was a person working at the ISP level, but it is not known if a person in this position is still involved.
“The first similarity is the attack scenario – users trying to download a software installation package were being redirected to a fake website serving a trojanised version of the expected installation package.
So far ESET has recorded more than 100 detections of the malware.
StrongPity2's watering hole operations were seen targeting several well-known sites and their software:
· CCleaner v 5.34
· Driver Booster
· The Opera Browser
· The VLC Media Player v2.2.6 (32bit)
· WinRAR 5.50
The good news is the spyware is easily removed using free tools that are available from several sources.