FinFisher Watering Hole Exploits Are Replaced By A New RAT Called StrongPity2

Vietnamese Hackers Oceanlotus Breach 100 Plus Websites

According to digital protection specialists, a new form of spying software called StrongPity2 has replaced the infamous FinFisher virus, previously used by intelligence gatherers and governments to gain backdoor access to user systems, hacking webcams, microphones, getting access to keystroke logs, web history, and more.

Tomas Kafka, a researcher with the ESET antivirus company, explains in a blogpost published this Friday, December 8th, that the new malware, bearing its name after the hacker collective that built it, StrongPity, uses similar methods as FinFisher in order to spread through MitM (man-in-the-middle) attacks on famous digital portals with high data traffic.

According to Mr. Kafka, ESET reported on a number of campaigns in different states that used MitM attacks to spread FinFisher and StrongPity2 spyware softs. Nonetheless, the reported campaigns were seemingly taken off the Internet on September 21st, after ESET published its findings.

Over the next month, the campaign appeared online again, using the same methods to distribute the malware, redirecting browser activity in real-time by using Hypertext Transfer Protocol redirects to set up the hacks and spread StrongPity2 to users.

The data gathered so far suggests that a great number of popular downloads and digital portals have been compromised by StrongPity operatives. Among these, rather remarkable are WinRar v5.50, Opera, Skype, CCleaner v5.34, and the 32-bit v2.2.6 version of the VLC Media Player.

Tomas Kafka reports that the scenario used to spread FinFisher is almost identical to the one used to spread StrongPity2 – upon commencing a download, the website redirects the user to a fake portal that has a virus-filled version of the desired object on it. According to ESET, in summer, 2016, Italy and Belgium residents were primarily targeted using this method by StrongPity.

The researchers explain that, while several segments of StrongPity2’s source code and FinFisher’s bear only a few key similarities, most of it is identical. Both the spyware softs use an algorithm engaging in uncommon obfuscation patterns, the same version of libcurl, respectively v7.45, and the same exfil methods.

Apart from data exfiltration capabilities, StrongPity2 can also embed and run scripts from other forms of malware by exploiting the credentials linked to a breached device.

Currently, ESET has gathered over 100 accounts of StrongPity2 infection. Despite its potentially serious impact, the malware can be easily scanned for and terminated by employing any number of freely available online spyware detection and removal tools.