SYMBOLCOMMON_NAMEaka. SYNONYMS
win.strongpity (Back to overview)

StrongPity

Actor(s): PROMETHIUM, StrongPity

There is no description at this point.

References
2021-02-01Medium 0xthreatintel0xthreatintel
@online{0xthreatintel:20210201:uncovering:d7b9216, author = {0xthreatintel}, title = {{Uncovering APT-C-41 (StrongPity) Backdoor}}, date = {2021-02-01}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4}, language = {English}, urldate = {2021-02-02} } Uncovering APT-C-41 (StrongPity) Backdoor
StrongPity
2020-12-31cyblecybleinc
@online{cybleinc:20201231:strongpity:bb6ab94, author = {cybleinc}, title = {{StrongPity APT Extends Global Reach with New Infrastructure}}, date = {2020-12-31}, organization = {cyble}, url = {https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/}, language = {English}, urldate = {2021-01-04} } StrongPity APT Extends Global Reach with New Infrastructure
StrongPity
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-10-30360Threat Intelligence Center
@online{center:20201030:aptc41:ede60de, author = {Threat Intelligence Center}, title = {{蓝色魔眼(APT-C-41)组织首次针对我国重要机构定向攻击活动披露}}, date = {2020-10-30}, organization = {360}, url = {https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg}, language = {Chinese}, urldate = {2020-11-02} } 蓝色魔眼(APT-C-41)组织首次针对我国重要机构定向攻击活动披露
StrongPity
2020-06-30BitdefenderLiviu Arsene, Radu Tudorica, Cristina Vatamanu, Alexandru Maximciuc
@techreport{arsene:20200630:strongpity:ed365fb, author = {Liviu Arsene and Radu Tudorica and Cristina Vatamanu and Alexandru Maximciuc}, title = {{StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure}}, date = {2020-06-30}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf}, language = {English}, urldate = {2020-06-30} } StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure
StrongPity
2020-06-29Cisco TalosWarren Mercer, Paul Rascagnères, Vitor Ventura
@online{mercer:20200629:promethium:e80cd47, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{PROMETHIUM extends global reach with StrongPity3 APT}}, date = {2020-06-29}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html}, language = {English}, urldate = {2020-06-30} } PROMETHIUM extends global reach with StrongPity3 APT
StrongPity
2018-03-09Bill Marczak, Jakub Dalek, Sarah McKune, Adam Senft, John Scott-Railton, Ron Deibert
@online{marczak:20180309:sandvines:14ef912, author = {Bill Marczak and Jakub Dalek and Sarah McKune and Adam Senft and John Scott-Railton and Ron Deibert}, title = {{Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?}}, date = {2018-03-09}, url = {https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/}, language = {English}, urldate = {2020-01-05} } Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?
StrongPity
2017-12-08ESET ResearchFilip Kafka
@online{kafka:20171208:strongpity2:116d419, author = {Filip Kafka}, title = {{StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?}}, date = {2017-12-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/}, language = {English}, urldate = {2019-11-14} } StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?
StrongPity
2016-10-12Twitter (@PhysicalDrive0)PhysicalDrive0
@online{physicaldrive0:20161012:strongpity:86fba4e, author = {PhysicalDrive0}, title = {{Tweet on StrongPity}}, date = {2016-10-12}, organization = {Twitter (@PhysicalDrive0)}, url = {https://twitter.com/physicaldrive0/status/786293008278970368}, language = {English}, urldate = {2020-01-06} } Tweet on StrongPity
StrongPity
2016-10-03Kaspersky LabsKurt Baumgartner
@online{baumgartner:20161003:strongpity:d4a8c09, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/}, language = {English}, urldate = {2019-12-20} } On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users
StrongPity
Yara Rules
[TLP:WHITE] win_strongpity_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_strongpity_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 8b7508 f7d1 85f6 }
            // n = 4, score = 500
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   f7d1                 | not                 ecx
            //   85f6                 | test                esi, esi

        $sequence_1 = { a1???????? 33c4 89442450 8b03 55 8ba828010000 8b4d00 }
            // n = 7, score = 300
            //   a1????????           |                     
            //   33c4                 | xor                 eax, esp
            //   89442450             | mov                 dword ptr [esp + 0x50], eax
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   55                   | push                ebp
            //   8ba828010000         | mov                 ebp, dword ptr [eax + 0x128]
            //   8b4d00               | mov                 ecx, dword ptr [ebp]

        $sequence_2 = { e8???????? 8bd8 83c408 85db 0f85f5020000 8b442420 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   83c408               | add                 esp, 8
            //   85db                 | test                ebx, ebx
            //   0f85f5020000         | jne                 0x2fb
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]

        $sequence_3 = { 52 ff15???????? 83c404 837c241000 750a 837d0400 0f852e020000 }
            // n = 7, score = 300
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   837c241000           | cmp                 dword ptr [esp + 0x10], 0
            //   750a                 | jne                 0xc
            //   837d0400             | cmp                 dword ptr [ebp + 4], 0
            //   0f852e020000         | jne                 0x234

        $sequence_4 = { 83c408 83f8ff 0f845d050000 ff442410 85f6 7fe0 }
            // n = 6, score = 300
            //   83c408               | add                 esp, 8
            //   83f8ff               | cmp                 eax, -1
            //   0f845d050000         | je                  0x563
            //   ff442410             | inc                 dword ptr [esp + 0x10]
            //   85f6                 | test                esi, esi
            //   7fe0                 | jg                  0xffffffe2

        $sequence_5 = { 57 50 8944246c 89442450 }
            // n = 4, score = 300
            //   57                   | push                edi
            //   50                   | push                eax
            //   8944246c             | mov                 dword ptr [esp + 0x6c], eax
            //   89442450             | mov                 dword ptr [esp + 0x50], eax

        $sequence_6 = { 397704 0f8493000000 eb6b 8b54241c 6a04 }
            // n = 5, score = 300
            //   397704               | cmp                 dword ptr [edi + 4], esi
            //   0f8493000000         | je                  0x99
            //   eb6b                 | jmp                 0x6d
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]
            //   6a04                 | push                4

        $sequence_7 = { c3 837c240800 56 57 8b7c240c 8db710050000 7534 }
            // n = 7, score = 300
            //   c3                   | ret                 
            //   837c240800           | cmp                 dword ptr [esp + 8], 0
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7c240c             | mov                 edi, dword ptr [esp + 0xc]
            //   8db710050000         | lea                 esi, [edi + 0x510]
            //   7534                 | jne                 0x36

        $sequence_8 = { 68???????? 50 e8???????? 83c40c 8d85e0fdffff ffb574f7ffff }
            // n = 6, score = 200
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d85e0fdffff         | lea                 eax, [ebp - 0x220]
            //   ffb574f7ffff         | push                dword ptr [ebp - 0x88c]

        $sequence_9 = { 899570f7ffff 3b5708 0f82c3feffff e9???????? }
            // n = 4, score = 200
            //   899570f7ffff         | mov                 dword ptr [ebp - 0x890], edx
            //   3b5708               | cmp                 edx, dword ptr [edi + 8]
            //   0f82c3feffff         | jb                  0xfffffec9
            //   e9????????           |                     

        $sequence_10 = { 6a5c 668945f2 58 56 }
            // n = 4, score = 200
            //   6a5c                 | push                0x5c
            //   668945f2             | mov                 word ptr [ebp - 0xe], ax
            //   58                   | pop                 eax
            //   56                   | push                esi

        $sequence_11 = { 83ee01 75f8 e8???????? c3 8b770c 8d4710 8bd6 }
            // n = 7, score = 200
            //   83ee01               | sub                 esi, 1
            //   75f8                 | jne                 0xfffffffa
            //   e8????????           |                     
            //   c3                   | ret                 
            //   8b770c               | mov                 esi, dword ptr [edi + 0xc]
            //   8d4710               | lea                 eax, [edi + 0x10]
            //   8bd6                 | mov                 edx, esi

        $sequence_12 = { e8???????? 83c410 ebe6 8b45e4 8b0c85a8bf4100 8b45e8 f644012880 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   ebe6                 | jmp                 0xffffffe8
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8b0c85a8bf4100       | mov                 ecx, dword ptr [eax*4 + 0x41bfa8]
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   f644012880           | test                byte ptr [ecx + eax + 0x28], 0x80

        $sequence_13 = { c746345c4b4100 57 ff7634 c6463c01 e8???????? 59 59 }
            // n = 7, score = 200
            //   c746345c4b4100       | mov                 dword ptr [esi + 0x34], 0x414b5c
            //   57                   | push                edi
            //   ff7634               | push                dword ptr [esi + 0x34]
            //   c6463c01             | mov                 byte ptr [esi + 0x3c], 1
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_14 = { 6a2f 59 668908 33c9 8b4608 66890c78 668b45d8 }
            // n = 7, score = 200
            //   6a2f                 | push                0x2f
            //   59                   | pop                 ecx
            //   668908               | mov                 word ptr [eax], cx
            //   33c9                 | xor                 ecx, ecx
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   66890c78             | mov                 word ptr [eax + edi*2], cx
            //   668b45d8             | mov                 ax, word ptr [ebp - 0x28]

    condition:
        7 of them and filesize < 999424
}
Download all Yara Rules