SYMBOLCOMMON_NAMEaka. SYNONYMS
win.strongpity (Back to overview)

StrongPity

Actor(s): PROMETHIUM, StrongPity

There is no description at this point.

References
2020-06-30BitdefenderLiviu Arsene, Radu Tudorica, Cristina Vatamanu, Alexandru Maximciuc
@techreport{arsene:20200630:strongpity:ed365fb, author = {Liviu Arsene and Radu Tudorica and Cristina Vatamanu and Alexandru Maximciuc}, title = {{StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure}}, date = {2020-06-30}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf}, language = {English}, urldate = {2020-06-30} } StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure
StrongPity
2020-06-29Cisco TalosWarren Mercer, Paul Rascagnères, Vitor Ventura
@online{mercer:20200629:promethium:e80cd47, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{PROMETHIUM extends global reach with StrongPity3 APT}}, date = {2020-06-29}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html}, language = {English}, urldate = {2020-06-30} } PROMETHIUM extends global reach with StrongPity3 APT
StrongPity
2018-03-09Bill Marczak, Jakub Dalek, Sarah McKune, Adam Senft, John Scott-Railton, Ron Deibert
@online{marczak:20180309:sandvines:14ef912, author = {Bill Marczak and Jakub Dalek and Sarah McKune and Adam Senft and John Scott-Railton and Ron Deibert}, title = {{Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?}}, date = {2018-03-09}, url = {https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/}, language = {English}, urldate = {2020-01-05} } Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?
StrongPity
2017-12-08ESET ResearchFilip Kafka
@online{kafka:20171208:strongpity2:116d419, author = {Filip Kafka}, title = {{StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?}}, date = {2017-12-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/}, language = {English}, urldate = {2019-11-14} } StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?
StrongPity
2016-10-12Twitter (@PhysicalDrive0)PhysicalDrive0
@online{physicaldrive0:20161012:strongpity:86fba4e, author = {PhysicalDrive0}, title = {{Tweet on StrongPity}}, date = {2016-10-12}, organization = {Twitter (@PhysicalDrive0)}, url = {https://twitter.com/physicaldrive0/status/786293008278970368}, language = {English}, urldate = {2020-01-06} } Tweet on StrongPity
StrongPity
2016-10-03Kaspersky LabsKurt Baumgartner
@online{baumgartner:20161003:strongpity:d4a8c09, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/}, language = {English}, urldate = {2019-12-20} } On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users
StrongPity
Yara Rules
[TLP:WHITE] win_strongpity_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_strongpity_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bec 56 8b7508 f7d1 85f6 }
            // n = 5, score = 400
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   f7d1                 | not                 ecx
            //   85f6                 | test                esi, esi

        $sequence_1 = { 57 e8???????? 83c40c 85c0 0f8520010000 8b6c242c }
            // n = 6, score = 300
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   0f8520010000         | jne                 0x126
            //   8b6c242c             | mov                 ebp, dword ptr [esp + 0x2c]

        $sequence_2 = { 895c2414 e9???????? 8b4640 84c0 0f89ca000000 57 55 }
            // n = 7, score = 300
            //   895c2414             | mov                 dword ptr [esp + 0x14], ebx
            //   e9????????           |                     
            //   8b4640               | mov                 eax, dword ptr [esi + 0x40]
            //   84c0                 | test                al, al
            //   0f89ca000000         | jns                 0xd0
            //   57                   | push                edi
            //   55                   | push                ebp

        $sequence_3 = { 83beb400000000 8b7c2424 0f85a3000000 83bf6803000000 }
            // n = 4, score = 300
            //   83beb400000000       | cmp                 dword ptr [esi + 0xb4], 0
            //   8b7c2424             | mov                 edi, dword ptr [esp + 0x24]
            //   0f85a3000000         | jne                 0xa9
            //   83bf6803000000       | cmp                 dword ptr [edi + 0x368], 0

        $sequence_4 = { 0f852c0e0000 33db 399ecc860000 7508 399ee4860000 }
            // n = 5, score = 300
            //   0f852c0e0000         | jne                 0xe32
            //   33db                 | xor                 ebx, ebx
            //   399ecc860000         | cmp                 dword ptr [esi + 0x86cc], ebx
            //   7508                 | jne                 0xa
            //   399ee4860000         | cmp                 dword ptr [esi + 0x86e4], ebx

        $sequence_5 = { 7418 8b570c 8b4920 52 8b542420 }
            // n = 5, score = 300
            //   7418                 | je                  0x1a
            //   8b570c               | mov                 edx, dword ptr [edi + 0xc]
            //   8b4920               | mov                 ecx, dword ptr [ecx + 0x20]
            //   52                   | push                edx
            //   8b542420             | mov                 edx, dword ptr [esp + 0x20]

        $sequence_6 = { 1bc3 0fa4d002 03d2 03d2 2bfa }
            // n = 5, score = 300
            //   1bc3                 | sbb                 eax, ebx
            //   0fa4d002             | shld                eax, edx, 2
            //   03d2                 | add                 edx, edx
            //   03d2                 | add                 edx, edx
            //   2bfa                 | sub                 edi, edx

        $sequence_7 = { 741b 8b563c 8b8c24e8000000 035634 }
            // n = 4, score = 300
            //   741b                 | je                  0x1d
            //   8b563c               | mov                 edx, dword ptr [esi + 0x3c]
            //   8b8c24e8000000       | mov                 ecx, dword ptr [esp + 0xe8]
            //   035634               | add                 edx, dword ptr [esi + 0x34]

        $sequence_8 = { 7420 6bc618 57 8db874bb4100 57 ff15???????? ff0d???????? }
            // n = 7, score = 100
            //   7420                 | je                  0x22
            //   6bc618               | imul                eax, esi, 0x18
            //   57                   | push                edi
            //   8db874bb4100         | lea                 edi, [eax + 0x41bb74]
            //   57                   | push                edi
            //   ff15????????         |                     
            //   ff0d????????         |                     

        $sequence_9 = { 66894dc2 66897dc4 668975c6 66897dc8 33c0 668945ca }
            // n = 6, score = 100
            //   66894dc2             | mov                 word ptr [ebp - 0x3e], cx
            //   66897dc4             | mov                 word ptr [ebp - 0x3c], di
            //   668975c6             | mov                 word ptr [ebp - 0x3a], si
            //   66897dc8             | mov                 word ptr [ebp - 0x38], di
            //   33c0                 | xor                 eax, eax
            //   668945ca             | mov                 word ptr [ebp - 0x36], ax

        $sequence_10 = { 5e 85db 741c 8b45e8 8d0c00 8bc3 }
            // n = 6, score = 100
            //   5e                   | pop                 esi
            //   85db                 | test                ebx, ebx
            //   741c                 | je                  0x1e
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8d0c00               | lea                 ecx, [eax + eax]
            //   8bc3                 | mov                 eax, ebx

        $sequence_11 = { 6bc830 894de0 8b049da8bf4100 0fb6440828 }
            // n = 4, score = 100
            //   6bc830               | imul                ecx, eax, 0x30
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   8b049da8bf4100       | mov                 eax, dword ptr [ebx*4 + 0x41bfa8]
            //   0fb6440828           | movzx               eax, byte ptr [eax + ecx + 0x28]

        $sequence_12 = { 56 56 668945f4 668945f6 33c0 56 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   56                   | push                esi
            //   668945f4             | mov                 word ptr [ebp - 0xc], ax
            //   668945f6             | mov                 word ptr [ebp - 0xa], ax
            //   33c0                 | xor                 eax, eax
            //   56                   | push                esi

        $sequence_13 = { 8d8dd8f7ffff 51 53 ffd0 ffb57cf7ffff 8b35???????? }
            // n = 6, score = 100
            //   8d8dd8f7ffff         | lea                 ecx, [ebp - 0x828]
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   ffd0                 | call                eax
            //   ffb57cf7ffff         | push                dword ptr [ebp - 0x884]
            //   8b35????????         |                     

        $sequence_14 = { eb17 894638 eb0e c74634544b4100 c7463806000000 }
            // n = 5, score = 100
            //   eb17                 | jmp                 0x19
            //   894638               | mov                 dword ptr [esi + 0x38], eax
            //   eb0e                 | jmp                 0x10
            //   c74634544b4100       | mov                 dword ptr [esi + 0x34], 0x414b54
            //   c7463806000000       | mov                 dword ptr [esi + 0x38], 6

    condition:
        7 of them and filesize < 999424
}
Download all Yara Rules