SYMBOLCOMMON_NAMEaka. SYNONYMS
win.micropsia (Back to overview)

Micropsia

Actor(s): AridViper


This malware written in Delphi is an information stealing malware family dubbed "MICROPSIA". It has s wide range of data theft functionality built in.

References
2023-04-04SymantecThreat Hunter Team
@online{team:20230404:mantis:dc4d88d, author = {Threat Hunter Team}, title = {{Mantis: New Tooling Used in Attacks Against Palestinian Targets}}, date = {2023-04-04}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks}, language = {English}, urldate = {2023-04-25} } Mantis: New Tooling Used in Attacks Against Palestinian Targets
Arid Gopher Micropsia
2022-02-02CiscoAsheer Malhotra, Vitor Ventura
@online{malhotra:20220202:arid:420217a, author = {Asheer Malhotra and Vitor Ventura}, title = {{Arid Viper APT targets Palestine with new wave of politically themed phishing attacks, malware}}, date = {2022-02-02}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html}, language = {English}, urldate = {2022-02-04} } Arid Viper APT targets Palestine with new wave of politically themed phishing attacks, malware
Micropsia
2021-04-21FacebookMichael Flossman, Michael Scott
@techreport{flossman:20210421:technical:455f5b5, author = {Michael Flossman and Michael Scott}, title = {{Technical Paper // Taking Action Against Arid Viper}}, date = {2021-04-21}, institution = {Facebook}, url = {https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf}, language = {English}, urldate = {2021-04-28} } Technical Paper // Taking Action Against Arid Viper
Viper RAT Micropsia
2019-08-15Github (jeFF0Falltrades)Jeff Archer
@online{archer:20190815:micropsia:8ed52a1, author = {Jeff Archer}, title = {{MICROPSIA (APT-C-23)}}, date = {2019-08-15}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md}, language = {English}, urldate = {2019-12-10} } MICROPSIA (APT-C-23)
Micropsia
2018-07-08Check Point ResearchCheck Point Research
@online{research:20180708:attack:bc66648, author = {Check Point Research}, title = {{APT Attack In the Middle East: The Big Bang}}, date = {2018-07-08}, organization = {Check Point Research}, url = {https://research.checkpoint.com/apt-attack-middle-east-big-bang/}, language = {English}, urldate = {2020-01-08} } APT Attack In the Middle East: The Big Bang
Micropsia The Big Bang
2017-06-19Cisco TalosPaul Rascagnères, Warren Mercer, Emmanuel Tacheau, Vanja Svajcer, Martin Lee
@online{rascagnres:20170619:delphi:fdf6859, author = {Paul Rascagnères and Warren Mercer and Emmanuel Tacheau and Vanja Svajcer and Martin Lee}, title = {{Delphi Used To Score Against Palestine}}, date = {2017-06-19}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/06/palestine-delphi.html}, language = {English}, urldate = {2019-07-27} } Delphi Used To Score Against Palestine
Micropsia AridViper
2017-04-05Palo Alto Networks Unit 42Tomer Bar, Tom Lancaster
@online{bar:20170405:targeted:feb4b54, author = {Tomer Bar and Tom Lancaster}, title = {{Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA}}, date = {2017-04-05}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/}, language = {English}, urldate = {2019-12-20} } Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA
KasperAgent Micropsia
Yara Rules
[TLP:WHITE] win_micropsia_w0 (20191121 | No description)
rule win_micropsia_w0 {
    meta:
        author = "jeFF0Falltrades"
        hash = "4c3fecea99a469a6daf2899cefe93d9acfd28a0b6c196592da47e917c53c2c76"
        source = "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia"
        malpedia_version = "20191121"
        malpedia_license = "CC NC-BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $gen_app_id = { 53 31 DB 69 93 08 D0 68 00 05 84 08 08 42 89 93 08 D0 68 00 F7 E2 89 D0 5B C3 } // 0x4072f0 loop which generates the unique "App ID"
        $get_temp_dir = { 68 00 04 00 00 8d 44 24 04 50 8b c7 e8 [4] 8b e8 55 e8 [2] fe ff } // 0x0042C689 func retrieving %TEMP%
        $str_install_appid = "ApppID.txt" wide ascii nocase

    condition:
        2 of them
}
Download all Yara Rules