StrongPity
StrongPity is an information stealing malware used by PROMETHIUM.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1090 | .003 | 代理: Multi-hop Proxy |
StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.[1] |
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
StrongPity has named services to appear legitimate.[2][1] |
| .005 | 伪装: Match Legitimate Name or Location |
StrongPity has been bundled with legitimate software installation files for disguise.[2] |
||
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
StrongPity has created new services and modified existing services for persistence.[2] |
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography |
StrongPity has encrypted C2 traffic using SSL/TLS.[2] |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
StrongPity can use the |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
StrongPity can use PowerShell to add files to the Windows Defender exclusions list.[2] |
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
StrongPity can add directories used by the malware to the Windows Defender exclusions list to prevent detection.[2] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
StrongPity can use HTTP and HTTPS in C2 communications.[2][1] |
| Enterprise | T1560 | .003 | 归档收集数据: Archive via Custom Method |
StrongPity can compress and encrypt archived files into multiple .sft files with a repeated xor encryption scheme.[2][1] |
| Enterprise | T1083 | 文件和目录发现 |
StrongPity can parse the hard drive on a compromised host to identify specific file extensions.[2] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
StrongPity has used encrypted strings in its dropper component.[2][1] |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
StrongPity has been executed via compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.[2][1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
StrongPity can delete previously exfiltrated files from the compromised host.[2][1] |
| Enterprise | T1082 | 系统信息发现 |
StrongPity can identify the hard disk volume serial number on a compromised host.[2] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
StrongPity can install a service to execute itself as a service.[2][1] |
| Enterprise | T1016 | 系统网络配置发现 |
StrongPity can identify the IP address of a compromised host.[2] |
|
| Enterprise | T1119 | 自动化收集 |
StrongPity has a file searcher component that can automatically collect and archive files based on a predefined list of file extensions.[1] |
|
| Enterprise | T1020 | 自动化渗出 |
StrongPity can automatically exfiltrate collected documents to the C2 server.[2][1] |
|
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
StrongPity can identify if ESET or BitDefender antivirus are installed before dropping its payload.[2] |
| Enterprise | T1105 | 输入工具传输 |
StrongPity can download files to specified targets.[1] |
|
| Enterprise | T1057 | 进程发现 |
StrongPity can determine if a user is logged in by checking to see if explorer.exe is running.[2] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
StrongPity can exfiltrate collected documents through C2 channels.[2][1] |
|
| Enterprise | T1564 | .003 | 隐藏伪装: Hidden Window |
StrongPity has the ability to hide the console window for its document search module from the user.[2] |
| Enterprise | T1571 | 非标准端口 |
StrongPity has used HTTPS over port 1402 in C2 communication.[1] |
|
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
StrongPity has been signed with self-signed certificates.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0056 | PROMETHIUM |