SYMBOLCOMMON_NAMEaka. SYNONYMS
win.strongpity (Back to overview)

StrongPity

Actor(s): PROMETHIUM, StrongPity


There is no description at this point.

References
2021-05-24Anchored Narratives on Threat Intelligence and GeopoliticsRJM
@online{rjm:20210524:tracking:3da0800, author = {RJM}, title = {{Tracking StrongPity with Yara}}, date = {2021-05-24}, organization = {Anchored Narratives on Threat Intelligence and Geopolitics}, url = {https://anchorednarratives.substack.com/p/tracking-strongpity-with-yara}, language = {English}, urldate = {2021-06-21} } Tracking StrongPity with Yara
StrongPity
2021-04-18Anchored Narratives on Threat Intelligence and GeopoliticsRJM
@online{rjm:20210418:recover:9b9c0a8, author = {RJM}, title = {{Recover your files with StrongPity}}, date = {2021-04-18}, organization = {Anchored Narratives on Threat Intelligence and Geopolitics}, url = {https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity}, language = {English}, urldate = {2021-05-25} } Recover your files with StrongPity
StrongPity
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-01Medium 0xthreatintel0xthreatintel
@online{0xthreatintel:20210201:uncovering:d7b9216, author = {0xthreatintel}, title = {{Uncovering APT-C-41 (StrongPity) Backdoor}}, date = {2021-02-01}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4}, language = {English}, urldate = {2021-02-02} } Uncovering APT-C-41 (StrongPity) Backdoor
StrongPity
2020-12-31cyblecybleinc
@online{cybleinc:20201231:strongpity:bb6ab94, author = {cybleinc}, title = {{StrongPity APT Extends Global Reach with New Infrastructure}}, date = {2020-12-31}, organization = {cyble}, url = {https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/}, language = {English}, urldate = {2021-01-04} } StrongPity APT Extends Global Reach with New Infrastructure
StrongPity
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-10-30360Threat Intelligence Center
@online{center:20201030:aptc41:ede60de, author = {Threat Intelligence Center}, title = {{蓝色魔眼(APT-C-41)组织首次针对我国重要机构定向攻击活动披露}}, date = {2020-10-30}, organization = {360}, url = {https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg}, language = {Chinese}, urldate = {2020-11-02} } 蓝色魔眼(APT-C-41)组织首次针对我国重要机构定向攻击活动披露
StrongPity
2020-06-30BitdefenderLiviu Arsene, Radu Tudorica, Cristina Vatamanu, Alexandru Maximciuc
@techreport{arsene:20200630:strongpity:ed365fb, author = {Liviu Arsene and Radu Tudorica and Cristina Vatamanu and Alexandru Maximciuc}, title = {{StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure}}, date = {2020-06-30}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf}, language = {English}, urldate = {2020-06-30} } StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure
StrongPity
2020-06-29Cisco TalosWarren Mercer, Paul Rascagnères, Vitor Ventura
@online{mercer:20200629:promethium:e80cd47, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{PROMETHIUM extends global reach with StrongPity3 APT}}, date = {2020-06-29}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html}, language = {English}, urldate = {2020-06-30} } PROMETHIUM extends global reach with StrongPity3 APT
StrongPity
2018-03-09Bill Marczak, Jakub Dalek, Sarah McKune, Adam Senft, John Scott-Railton, Ron Deibert
@online{marczak:20180309:sandvines:14ef912, author = {Bill Marczak and Jakub Dalek and Sarah McKune and Adam Senft and John Scott-Railton and Ron Deibert}, title = {{Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?}}, date = {2018-03-09}, url = {https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/}, language = {English}, urldate = {2020-01-05} } Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?
StrongPity
2017-12-08ESET ResearchFilip Kafka
@online{kafka:20171208:strongpity2:116d419, author = {Filip Kafka}, title = {{StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?}}, date = {2017-12-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/}, language = {English}, urldate = {2019-11-14} } StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?
StrongPity
2016-10-12Twitter (@PhysicalDrive0)PhysicalDrive0
@online{physicaldrive0:20161012:strongpity:86fba4e, author = {PhysicalDrive0}, title = {{Tweet on StrongPity}}, date = {2016-10-12}, organization = {Twitter (@PhysicalDrive0)}, url = {https://twitter.com/physicaldrive0/status/786293008278970368}, language = {English}, urldate = {2020-01-06} } Tweet on StrongPity
StrongPity
2016-10-03Kaspersky LabsKurt Baumgartner
@online{baumgartner:20161003:strongpity:d4a8c09, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/}, language = {English}, urldate = {2019-12-20} } On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users
StrongPity
Yara Rules
[TLP:WHITE] win_strongpity_auto (20210616 | Detects win.strongpity.)
rule win_strongpity_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.strongpity."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bec 56 8b7508 f7d1 85f6 }
            // n = 5, score = 300
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   f7d1                 | not                 ecx
            //   85f6                 | test                esi, esi

        $sequence_1 = { c745f800100000 85c0 750b 56 e8???????? 59 }
            // n = 6, score = 200
            //   c745f800100000       | mov                 dword ptr [ebp - 8], 0x1000
            //   85c0                 | test                eax, eax
            //   750b                 | jne                 0xd
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_2 = { 83cfff 897de4 8365fc00 8b049da8bf4100 }
            // n = 4, score = 200
            //   83cfff               | or                  edi, 0xffffffff
            //   897de4               | mov                 dword ptr [ebp - 0x1c], edi
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8b049da8bf4100       | mov                 eax, dword ptr [ebx*4 + 0x41bfa8]

        $sequence_3 = { 8d857cfbffff c60000 40 83eb01 75f7 85f6 }
            // n = 6, score = 200
            //   8d857cfbffff         | lea                 eax, dword ptr [ebp - 0x484]
            //   c60000               | mov                 byte ptr [eax], 0
            //   40                   | inc                 eax
            //   83eb01               | sub                 ebx, 1
            //   75f7                 | jne                 0xfffffff9
            //   85f6                 | test                esi, esi

        $sequence_4 = { 0f8404020000 85c0 0f84fc010000 56 6a00 }
            // n = 5, score = 200
            //   0f8404020000         | je                  0x20a
            //   85c0                 | test                eax, eax
            //   0f84fc010000         | je                  0x202
            //   56                   | push                esi
            //   6a00                 | push                0

        $sequence_5 = { 7411 68000000a0 6aff ff7718 56 ff15???????? 837f1c00 }
            // n = 7, score = 200
            //   7411                 | je                  0x13
            //   68000000a0           | push                0xa0000000
            //   6aff                 | push                -1
            //   ff7718               | push                dword ptr [edi + 0x18]
            //   56                   | push                esi
            //   ff15????????         |                     
            //   837f1c00             | cmp                 dword ptr [edi + 0x1c], 0

        $sequence_6 = { 33c0 e8???????? c21000 e8???????? 6a5c }
            // n = 5, score = 200
            //   33c0                 | xor                 eax, eax
            //   e8????????           |                     
            //   c21000               | ret                 0x10
            //   e8????????           |                     
            //   6a5c                 | push                0x5c

        $sequence_7 = { 6a01 0f45d0 68???????? 668955ec ff15???????? 8b5de4 8bf0 }
            // n = 7, score = 200
            //   6a01                 | push                1
            //   0f45d0               | cmovne              edx, eax
            //   68????????           |                     
            //   668955ec             | mov                 word ptr [ebp - 0x14], dx
            //   ff15????????         |                     
            //   8b5de4               | mov                 ebx, dword ptr [ebp - 0x1c]
            //   8bf0                 | mov                 esi, eax

        $sequence_8 = { 8b11 5f 5e 89905c040000 }
            // n = 4, score = 100
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   89905c040000         | mov                 dword ptr [eax + 0x45c], edx

        $sequence_9 = { 8b13 8d86f4050000 898214010000 85ff }
            // n = 4, score = 100
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   8d86f4050000         | lea                 eax, dword ptr [esi + 0x5f4]
            //   898214010000         | mov                 dword ptr [edx + 0x114], eax
            //   85ff                 | test                edi, edi

        $sequence_10 = { 8b11 8bb228010000 83c40c 85f6 7432 }
            // n = 5, score = 100
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8bb228010000         | mov                 esi, dword ptr [edx + 0x128]
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   7432                 | je                  0x34

        $sequence_11 = { 8b13 8b827c870000 55 8baa80870000 }
            // n = 4, score = 100
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   8b827c870000         | mov                 eax, dword ptr [edx + 0x877c]
            //   55                   | push                ebp
            //   8baa80870000         | mov                 ebp, dword ptr [edx + 0x8780]

        $sequence_12 = { 8b11 8b442420 52 50 }
            // n = 4, score = 100
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_13 = { 8b11 8b02 8906 eb54 }
            // n = 4, score = 100
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   8906                 | mov                 dword ptr [esi], eax
            //   eb54                 | jmp                 0x56

        $sequence_14 = { 8b13 8b8228010000 833800 7417 }
            // n = 4, score = 100
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   8b8228010000         | mov                 eax, dword ptr [edx + 0x128]
            //   833800               | cmp                 dword ptr [eax], 0
            //   7417                 | je                  0x19

    condition:
        7 of them and filesize < 974848
}
Download all Yara Rules