StrongPity
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
StrongPity can use HTTP and HTTPS in C2 communications.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020) |
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
StrongPity can compress and encrypt archived files into multiple .sft files with a repeated xor encryption scheme.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
StrongPity can use the |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
StrongPity can use PowerShell to add files to the Windows Defender exclusions list.(Citation: Talos Promethium June 2020) |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
StrongPity has created new services and modified existing services for persistence.(Citation: Talos Promethium June 2020) |
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
StrongPity has encrypted C2 traffic using SSL/TLS.(Citation: Talos Promethium June 2020) |
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
StrongPity has the ability to hide the console window for its document search module from the user.(Citation: Talos Promethium June 2020) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
StrongPity can add directories used by the malware to the Windows Defender exclusions list to prevent detection.(Citation: Talos Promethium June 2020) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
StrongPity can delete previously exfiltrated files from the compromised host.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
StrongPity has named services to appear legitimate.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020) |
| .005 | Masquerading: Match Legitimate Name or Location |
StrongPity has been bundled with legitimate software installation files for disguise.(Citation: Talos Promethium June 2020) |
||
| Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.(Citation: Bitdefender StrongPity June 2020) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
StrongPity can identify if ESET or BitDefender antivirus are installed before dropping its payload.(Citation: Talos Promethium June 2020) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
StrongPity has been signed with self-signed certificates.(Citation: Bitdefender StrongPity June 2020) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
StrongPity can install a service to execute itself as a service.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
StrongPity has been executed via compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0056 | PROMETHIUM |
(Citation: Bitdefender StrongPity June 2020) (Citation: Talos Promethium June 2020) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.