SYMBOLCOMMON_NAMEaka. SYNONYMS
win.strongpity (Back to overview)

StrongPity

Actor(s): PROMETHIUM, StrongPity

According to Mitre, StrongPity is an information stealing malware used by PROMETHIUM.

References
2022-03-23QianxinRed Raindrop Team
@online{team:20220323:analysis:225d95b, author = {Red Raindrop Team}, title = {{Analysis of Attack Activity of PROMETHIUM Disguised}}, date = {2022-03-23}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/promethium-attack-activity-analysis-disguised-as-Winrar.exe/}, language = {Chines}, urldate = {2022-03-25} } Analysis of Attack Activity of PROMETHIUM Disguised
StrongPity
2021-12-09Minerva LabsNatalie Zargarov
@online{zargarov:20211209:new:2875937, author = {Natalie Zargarov}, title = {{A new StrongPity variant hides behind Notepad++ installation}}, date = {2021-12-09}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/a-new-strongpity-variant-hides-behind-notepad-installation}, language = {English}, urldate = {2021-12-13} } A new StrongPity variant hides behind Notepad++ installation
StrongPity
2021-11-30QianxinRed Raindrop Team
@online{team:20211130:cyberspaces:e8efd82, author = {Red Raindrop Team}, title = {{Cyberspace's Magic Eye: PROMETHIUM Fakes attack activity analysis of NotePads and installation packages}}, date = {2021-11-30}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/nQVUkIwkiQTj2pLaNYHeOA}, language = {Chinese}, urldate = {2021-12-07} } Cyberspace's Magic Eye: PROMETHIUM Fakes attack activity analysis of NotePads and installation packages
StrongPity
2021-11-05BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20211105:hunter:3c7bab9, author = {The BlackBerry Research & Intelligence Team}, title = {{Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware}}, date = {2021-11-05}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/zebra2104}, language = {English}, urldate = {2021-11-08} } Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity
2021-05-24Anchored Narratives on Threat Intelligence and GeopoliticsRJM
@online{rjm:20210524:tracking:3da0800, author = {RJM}, title = {{Tracking StrongPity with Yara}}, date = {2021-05-24}, organization = {Anchored Narratives on Threat Intelligence and Geopolitics}, url = {https://anchorednarratives.substack.com/p/tracking-strongpity-with-yara}, language = {English}, urldate = {2021-06-21} } Tracking StrongPity with Yara
StrongPity
2021-04-18Anchored Narratives on Threat Intelligence and GeopoliticsRJM
@online{rjm:20210418:recover:9b9c0a8, author = {RJM}, title = {{Recover your files with StrongPity}}, date = {2021-04-18}, organization = {Anchored Narratives on Threat Intelligence and Geopolitics}, url = {https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity}, language = {English}, urldate = {2021-05-25} } Recover your files with StrongPity
StrongPity
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-01Medium 0xthreatintel0xthreatintel
@online{0xthreatintel:20210201:uncovering:d7b9216, author = {0xthreatintel}, title = {{Uncovering APT-C-41 (StrongPity) Backdoor}}, date = {2021-02-01}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4}, language = {English}, urldate = {2021-02-02} } Uncovering APT-C-41 (StrongPity) Backdoor
StrongPity
2020-12-31cyblecybleinc
@online{cybleinc:20201231:strongpity:bb6ab94, author = {cybleinc}, title = {{StrongPity APT Extends Global Reach with New Infrastructure}}, date = {2020-12-31}, organization = {cyble}, url = {https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/}, language = {English}, urldate = {2021-01-04} } StrongPity APT Extends Global Reach with New Infrastructure
StrongPity
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-10-30360Threat Intelligence Center
@online{center:20201030:aptc41:ede60de, author = {Threat Intelligence Center}, title = {{蓝色魔眼(APT-C-41)组织首次针对我国重要机构定向攻击活动披露}}, date = {2020-10-30}, organization = {360}, url = {https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg}, language = {Chinese}, urldate = {2020-11-02} } 蓝色魔眼(APT-C-41)组织首次针对我国重要机构定向攻击活动披露
StrongPity
2020-06-30BitdefenderLiviu Arsene, Radu Tudorica, Cristina Vatamanu, Alexandru Maximciuc
@techreport{arsene:20200630:strongpity:ed365fb, author = {Liviu Arsene and Radu Tudorica and Cristina Vatamanu and Alexandru Maximciuc}, title = {{StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure}}, date = {2020-06-30}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf}, language = {English}, urldate = {2020-06-30} } StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure
StrongPity
2020-06-29Cisco TalosWarren Mercer, Paul Rascagnères, Vitor Ventura
@online{mercer:20200629:promethium:e80cd47, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{PROMETHIUM extends global reach with StrongPity3 APT}}, date = {2020-06-29}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html}, language = {English}, urldate = {2020-06-30} } PROMETHIUM extends global reach with StrongPity3 APT
StrongPity
2018-03-09Bill Marczak, Jakub Dalek, Sarah McKune, Adam Senft, John Scott-Railton, Ron Deibert
@online{marczak:20180309:sandvines:14ef912, author = {Bill Marczak and Jakub Dalek and Sarah McKune and Adam Senft and John Scott-Railton and Ron Deibert}, title = {{Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?}}, date = {2018-03-09}, url = {https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/}, language = {English}, urldate = {2020-01-05} } Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?
StrongPity
2017-12-08ESET ResearchFilip Kafka
@online{kafka:20171208:strongpity2:116d419, author = {Filip Kafka}, title = {{StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?}}, date = {2017-12-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/}, language = {English}, urldate = {2019-11-14} } StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?
StrongPity
2016-10-12Twitter (@PhysicalDrive0)PhysicalDrive0
@online{physicaldrive0:20161012:strongpity:86fba4e, author = {PhysicalDrive0}, title = {{Tweet on StrongPity}}, date = {2016-10-12}, organization = {Twitter (@PhysicalDrive0)}, url = {https://twitter.com/physicaldrive0/status/786293008278970368}, language = {English}, urldate = {2020-01-06} } Tweet on StrongPity
StrongPity
2016-10-03Kaspersky LabsKurt Baumgartner
@online{baumgartner:20161003:strongpity:d4a8c09, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/}, language = {English}, urldate = {2019-12-20} } On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users
StrongPity
Yara Rules
[TLP:WHITE] win_strongpity_auto (20230808 | Detects win.strongpity.)
rule win_strongpity_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.strongpity."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 33c0 d1f9 50 51 53 }
            // n = 6, score = 700
            //   50                   | push                eax
            //   33c0                 | xor                 eax, eax
            //   d1f9                 | sar                 ecx, 1
            //   50                   | push                eax
            //   51                   | push                ecx
            //   53                   | push                ebx

        $sequence_1 = { 75f8 ff75d0 68???????? ff36 e8???????? }
            // n = 5, score = 700
            //   75f8                 | jne                 0xfffffffa
            //   ff75d0               | push                dword ptr [ebp - 0x30]
            //   68????????           |                     
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     

        $sequence_2 = { 41 83ea01 75f7 50 e8???????? 59 }
            // n = 6, score = 700
            //   41                   | inc                 ecx
            //   83ea01               | sub                 edx, 1
            //   75f7                 | jne                 0xfffffff9
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_3 = { e8???????? 8b4608 83c418 6a2f 59 }
            // n = 5, score = 700
            //   e8????????           |                     
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   83c418               | add                 esp, 0x18
            //   6a2f                 | push                0x2f
            //   59                   | pop                 ecx

        $sequence_4 = { 8945f8 f7d8 56 57 }
            // n = 4, score = 700
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   f7d8                 | neg                 eax
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_5 = { 33db c745f804000000 53 ff7710 895df4 ff770c }
            // n = 6, score = 700
            //   33db                 | xor                 ebx, ebx
            //   c745f804000000       | mov                 dword ptr [ebp - 8], 4
            //   53                   | push                ebx
            //   ff7710               | push                dword ptr [edi + 0x10]
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   ff770c               | push                dword ptr [edi + 0xc]

        $sequence_6 = { ba???????? f3a5 8bf2 668b02 83c202 }
            // n = 5, score = 700
            //   ba????????           |                     
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bf2                 | mov                 esi, edx
            //   668b02               | mov                 ax, word ptr [edx]
            //   83c202               | add                 edx, 2

        $sequence_7 = { 83e801 7408 6a02 58 884612 }
            // n = 5, score = 700
            //   83e801               | sub                 eax, 1
            //   7408                 | je                  0xa
            //   6a02                 | push                2
            //   58                   | pop                 eax
            //   884612               | mov                 byte ptr [esi + 0x12], al

        $sequence_8 = { 0107 83be8800000002 8b07 0f85ad000000 83f814 }
            // n = 5, score = 300
            //   0107                 | add                 dword ptr [edi], eax
            //   83be8800000002       | cmp                 dword ptr [esi + 0x88], 2
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   0f85ad000000         | jne                 0xb3
            //   83f814               | cmp                 eax, 0x14

        $sequence_9 = { 012e 885c240a e9???????? 84db 0f8434020000 }
            // n = 5, score = 300
            //   012e                 | add                 dword ptr [esi], ebp
            //   885c240a             | mov                 byte ptr [esp + 0xa], bl
            //   e9????????           |                     
            //   84db                 | test                bl, bl
            //   0f8434020000         | je                  0x23a

        $sequence_10 = { 5f 8d4503 5d 5b 8b4c2428 }
            // n = 5, score = 300
            //   5f                   | pop                 edi
            //   8d4503               | lea                 eax, [ebp + 3]
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   8b4c2428             | mov                 ecx, dword ptr [esp + 0x28]

        $sequence_11 = { 7417 48 7545 39812c020000 7433 8b8124020000 }
            // n = 6, score = 300
            //   7417                 | je                  0x19
            //   48                   | dec                 eax
            //   7545                 | jne                 0x47
            //   39812c020000         | cmp                 dword ptr [ecx + 0x22c], eax
            //   7433                 | je                  0x35
            //   8b8124020000         | mov                 eax, dword ptr [ecx + 0x224]

        $sequence_12 = { 5f 8b4c2408 5e 5b }
            // n = 4, score = 300
            //   5f                   | pop                 edi
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_13 = { 5f 8d4502 5d 5e 5b 8b4c2468 }
            // n = 6, score = 300
            //   5f                   | pop                 edi
            //   8d4502               | lea                 eax, [ebp + 2]
            //   5d                   | pop                 ebp
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8b4c2468             | mov                 ecx, dword ptr [esp + 0x68]

        $sequence_14 = { 012e 885c240a ebc3 80fb5d 7520 837c240c00 0f85fe020000 }
            // n = 7, score = 300
            //   012e                 | add                 dword ptr [esi], ebp
            //   885c240a             | mov                 byte ptr [esp + 0xa], bl
            //   ebc3                 | jmp                 0xffffffc5
            //   80fb5d               | cmp                 bl, 0x5d
            //   7520                 | jne                 0x22
            //   837c240c00           | cmp                 dword ptr [esp + 0xc], 0
            //   0f85fe020000         | jne                 0x304

        $sequence_15 = { 5f 8bc3 5b c3 8d4638 50 e8???????? }
            // n = 7, score = 300
            //   5f                   | pop                 edi
            //   8bc3                 | mov                 eax, ebx
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   8d4638               | lea                 eax, [esi + 0x38]
            //   50                   | push                eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 999424
}
Download all Yara Rules