Research and Application of Code Similarity Based on Submission
StrongPity, aka Promethium, a potentially state-sponsored APT group active since 2012, isn’t letting exposed campaigns in recent years stop it from trying to install malware around the world, particularly in warzones such as Syria.
Two separate reports this week from Cisco Talos and Bitdefender suggest the attackers are getting more aggressive in their geo-targeted malicious activities.The infection vector appears to be a global moving target. Recent StrongPity3 attempts identified by Talos focused on Colombia, India, Canada and Vietnam.Meanwhile, Bitdefender tracked a campaign starting Oct. 1, 2019, that targeted victims in Turkey and Syria, suggesting that the attackers are interested in the Kurdish conflict.
“Promethium has been resilient over the years,” Talos’ post stated. “Its campaigns have been exposed several times, but that was not enough to make the actors behind it to make them stop.” Talos matched indicators such as code similarity, command and control (C2) paths, toolkit structure and malicious behavior, resulting in approximately 30 new C2 domains.
Despite the number of samples and quantity of C2 servers, Cisco Talos did not identify the infection vectors because it couldn’t come up with evidence that the websites of the real applications were compromised to host the malicious installer. The infection vector also does not seem to be related to a supply-chain attack.
With the continuous accumulation of resources, the similarity detection of code is becoming more difficult, and the difficulty of code reusing and rechecking is also increasing.
In view of this problem, Yu Lang proposed a code recommendation and check-research based on submission, which used differential code cloning and word vector methods to find candidate code sets that were similar to incremental text, and used feature extraction and clustering to select the most relevant codes from the candidate code sets to obtain repetitive codes. At the same time, programmers are recommended to combined with relevance scores.
Experimental results show that this method is feasible to some extent.
Read the full paper at the journal of Networking and Telecommunications:
PiscoMed Publishing started off with a focus in advancing medical research, however with the advancement of all areas of science, technology and medicines, PiscoMed have decided to venture into all areas of research, publishing quality journals that will support the scholarly and professional community across the globe.