Micropsia (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.micropsia (Back to overview)

Micropsia

Actor(s): AridViper

This malware written in Delphi is an information stealing malware family dubbed "MICROPSIA". It has s wide range of data theft functionality built in.

References

2023-12-14 ⋅ SentinelOne ⋅ Aleksandar Milenkoski
Gaza Cybergang | Unified Front Targeting Hamas Opposition
BarbWire Micropsia Pierogi AridViper

2023-04-04 ⋅ Symantec ⋅ Threat Hunter Team
Mantis: New Tooling Used in Attacks Against Palestinian Targets
Arid Gopher Micropsia

2022-02-02 ⋅ Cisco ⋅ Asheer Malhotra, Vitor Ventura
Arid Viper APT targets Palestine with new wave of politically themed phishing attacks, malware
Micropsia

2021-04-21 ⋅ Facebook ⋅ Michael Flossman, Michael Scott
Technical Paper // Taking Action Against Arid Viper
Viper RAT Micropsia

2019-08-15 ⋅ Github (jeFF0Falltrades) ⋅ Jeff Archer
MICROPSIA (APT-C-23)
Micropsia

2018-07-08 ⋅ Check Point Research ⋅ Check Point Research
APT Attack In the Middle East: The Big Bang
Micropsia The Big Bang

2017-06-19 ⋅ Cisco Talos ⋅ Emmanuel Tacheau, Martin Lee, Paul Rascagnères, Vanja Svajcer, Warren Mercer
Delphi Used To Score Against Palestine
Micropsia AridViper

2017-04-05 ⋅ Palo Alto Networks Unit 42 ⋅ Tom Lancaster, Tomer Bar
Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA
KasperAgent Micropsia

Yara Rules

[TLP:WHITE] win_micropsia_w0 (20191121 | No description)

rule win_micropsia_w0 {
    meta:
        author = "jeFF0Falltrades"
        hash = "4c3fecea99a469a6daf2899cefe93d9acfd28a0b6c196592da47e917c53c2c76"
        source = "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia"
        malpedia_version = "20191121"
        malpedia_license = "CC NC-BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $gen_app_id = { 53 31 DB 69 93 08 D0 68 00 05 84 08 08 42 89 93 08 D0 68 00 F7 E2 89 D0 5B C3 } // 0x4072f0 loop which generates the unique "App ID"
        $get_temp_dir = { 68 00 04 00 00 8d 44 24 04 50 8b c7 e8 [4] 8b e8 55 e8 [2] fe ff } // 0x0042C689 func retrieving %TEMP%
        $str_install_appid = "ApppID.txt" wide ascii nocase

    condition:
        2 of them
}

Download all Yara Rules

Micropsia Propose Change

References

Yara Rules

Micropsia