SYMBOLCOMMON_NAMEaka. SYNONYMS
win.strongpity (Back to overview)

StrongPity

Actor(s): PROMETHIUM, StrongPity

There is no description at this point.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-01Medium 0xthreatintel0xthreatintel
@online{0xthreatintel:20210201:uncovering:d7b9216, author = {0xthreatintel}, title = {{Uncovering APT-C-41 (StrongPity) Backdoor}}, date = {2021-02-01}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4}, language = {English}, urldate = {2021-02-02} } Uncovering APT-C-41 (StrongPity) Backdoor
StrongPity
2020-12-31cyblecybleinc
@online{cybleinc:20201231:strongpity:bb6ab94, author = {cybleinc}, title = {{StrongPity APT Extends Global Reach with New Infrastructure}}, date = {2020-12-31}, organization = {cyble}, url = {https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/}, language = {English}, urldate = {2021-01-04} } StrongPity APT Extends Global Reach with New Infrastructure
StrongPity
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-10-30360Threat Intelligence Center
@online{center:20201030:aptc41:ede60de, author = {Threat Intelligence Center}, title = {{蓝色魔眼(APT-C-41)组织首次针对我国重要机构定向攻击活动披露}}, date = {2020-10-30}, organization = {360}, url = {https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg}, language = {Chinese}, urldate = {2020-11-02} } 蓝色魔眼(APT-C-41)组织首次针对我国重要机构定向攻击活动披露
StrongPity
2020-06-30BitdefenderLiviu Arsene, Radu Tudorica, Cristina Vatamanu, Alexandru Maximciuc
@techreport{arsene:20200630:strongpity:ed365fb, author = {Liviu Arsene and Radu Tudorica and Cristina Vatamanu and Alexandru Maximciuc}, title = {{StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure}}, date = {2020-06-30}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf}, language = {English}, urldate = {2020-06-30} } StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure
StrongPity
2020-06-29Cisco TalosWarren Mercer, Paul Rascagnères, Vitor Ventura
@online{mercer:20200629:promethium:e80cd47, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{PROMETHIUM extends global reach with StrongPity3 APT}}, date = {2020-06-29}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html}, language = {English}, urldate = {2020-06-30} } PROMETHIUM extends global reach with StrongPity3 APT
StrongPity
2018-03-09Bill Marczak, Jakub Dalek, Sarah McKune, Adam Senft, John Scott-Railton, Ron Deibert
@online{marczak:20180309:sandvines:14ef912, author = {Bill Marczak and Jakub Dalek and Sarah McKune and Adam Senft and John Scott-Railton and Ron Deibert}, title = {{Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?}}, date = {2018-03-09}, url = {https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/}, language = {English}, urldate = {2020-01-05} } Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?
StrongPity
2017-12-08ESET ResearchFilip Kafka
@online{kafka:20171208:strongpity2:116d419, author = {Filip Kafka}, title = {{StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?}}, date = {2017-12-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/}, language = {English}, urldate = {2019-11-14} } StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?
StrongPity
2016-10-12Twitter (@PhysicalDrive0)PhysicalDrive0
@online{physicaldrive0:20161012:strongpity:86fba4e, author = {PhysicalDrive0}, title = {{Tweet on StrongPity}}, date = {2016-10-12}, organization = {Twitter (@PhysicalDrive0)}, url = {https://twitter.com/physicaldrive0/status/786293008278970368}, language = {English}, urldate = {2020-01-06} } Tweet on StrongPity
StrongPity
2016-10-03Kaspersky LabsKurt Baumgartner
@online{baumgartner:20161003:strongpity:d4a8c09, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/}, language = {English}, urldate = {2019-12-20} } On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users
StrongPity
Yara Rules
[TLP:WHITE] win_strongpity_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_strongpity_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 8b7508 f7d1 85f6 }
            // n = 4, score = 500
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   f7d1                 | not                 ecx
            //   85f6                 | test                esi, esi

        $sequence_1 = { a1???????? 33c4 89442450 8b03 55 8ba828010000 8b4d00 }
            // n = 7, score = 300
            //   a1????????           |                     
            //   33c4                 | xor                 eax, esp
            //   89442450             | mov                 dword ptr [esp + 0x50], eax
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   55                   | push                ebp
            //   8ba828010000         | mov                 ebp, dword ptr [eax + 0x128]
            //   8b4d00               | mov                 ecx, dword ptr [ebp]

        $sequence_2 = { e8???????? 8bd8 83c408 85db 0f85f5020000 8b442420 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   83c408               | add                 esp, 8
            //   85db                 | test                ebx, ebx
            //   0f85f5020000         | jne                 0x2fb
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]

        $sequence_3 = { 52 ff15???????? 83c404 837c241000 750a 837d0400 0f852e020000 }
            // n = 7, score = 300
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   837c241000           | cmp                 dword ptr [esp + 0x10], 0
            //   750a                 | jne                 0xc
            //   837d0400             | cmp                 dword ptr [ebp + 4], 0
            //   0f852e020000         | jne                 0x234

        $sequence_4 = { 83c408 83f8ff 0f845d050000 ff442410 85f6 7fe0 }
            // n = 6, score = 300
            //   83c408               | add                 esp, 8
            //   83f8ff               | cmp                 eax, -1
            //   0f845d050000         | je                  0x563
            //   ff442410             | inc                 dword ptr [esp + 0x10]
            //   85f6                 | test                esi, esi
            //   7fe0                 | jg                  0xffffffe2

        $sequence_5 = { 57 50 8944246c 89442450 }
            // n = 4, score = 300
            //   57                   | push                edi
            //   50                   | push                eax
            //   8944246c             | mov                 dword ptr [esp + 0x6c], eax
            //   89442450             | mov                 dword ptr [esp + 0x50], eax

        $sequence_6 = { 397704 0f8493000000 eb6b 8b54241c 6a04 }
            // n = 5, score = 300
            //   397704               | cmp                 dword ptr [edi + 4], esi
            //   0f8493000000         | je                  0x99
            //   eb6b                 | jmp                 0x6d
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]
            //   6a04                 | push                4

        $sequence_7 = { c3 837c240800 56 57 8b7c240c 8db710050000 7534 }
            // n = 7, score = 300
            //   c3                   | ret                 
            //   837c240800           | cmp                 dword ptr [esp + 8], 0
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7c240c             | mov                 edi, dword ptr [esp + 0xc]
            //   8db710050000         | lea                 esi, [edi + 0x510]
            //   7534                 | jne                 0x36

        $sequence_8 = { 68???????? 50 e8???????? 83c40c 8d85e0fdffff ffb574f7ffff }
            // n = 6, score = 200
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d85e0fdffff         | lea                 eax, [ebp - 0x220]
            //   ffb574f7ffff         | push                dword ptr [ebp - 0x88c]

        $sequence_9 = { 899570f7ffff 3b5708 0f82c3feffff e9???????? }
            // n = 4, score = 200
            //   899570f7ffff         | mov                 dword ptr [ebp - 0x890], edx
            //   3b5708               | cmp                 edx, dword ptr [edi + 8]
            //   0f82c3feffff         | jb                  0xfffffec9
            //   e9????????           |                     

        $sequence_10 = { 6a5c 668945f2 58 56 }
            // n = 4, score = 200
            //   6a5c                 | push                0x5c
            //   668945f2             | mov                 word ptr [ebp - 0xe], ax
            //   58                   | pop                 eax
            //   56                   | push                esi

        $sequence_11 = { 83ee01 75f8 e8???????? c3 8b770c 8d4710 8bd6 }
            // n = 7, score = 200
            //   83ee01               | sub                 esi, 1
            //   75f8                 | jne                 0xfffffffa
            //   e8????????           |                     
            //   c3                   | ret                 
            //   8b770c               | mov                 esi, dword ptr [edi + 0xc]
            //   8d4710               | lea                 eax, [edi + 0x10]
            //   8bd6                 | mov                 edx, esi

        $sequence_12 = { e8???????? 83c410 ebe6 8b45e4 8b0c85a8bf4100 8b45e8 f644012880 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   ebe6                 | jmp                 0xffffffe8
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8b0c85a8bf4100       | mov                 ecx, dword ptr [eax*4 + 0x41bfa8]
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   f644012880           | test                byte ptr [ecx + eax + 0x28], 0x80

        $sequence_13 = { c746345c4b4100 57 ff7634 c6463c01 e8???????? 59 59 }
            // n = 7, score = 200
            //   c746345c4b4100       | mov                 dword ptr [esi + 0x34], 0x414b5c
            //   57                   | push                edi
            //   ff7634               | push                dword ptr [esi + 0x34]
            //   c6463c01             | mov                 byte ptr [esi + 0x3c], 1
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_14 = { 6a2f 59 668908 33c9 8b4608 66890c78 668b45d8 }
            // n = 7, score = 200
            //   6a2f                 | push                0x2f
            //   59                   | pop                 ecx
            //   668908               | mov                 word ptr [eax], cx
            //   33c9                 | xor                 ecx, ecx
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   66890c78             | mov                 word ptr [eax + edi*2], cx
            //   668b45d8             | mov                 ax, word ptr [ebp - 0x28]

    condition:
        7 of them and filesize < 999424
}
Download all Yara Rules