Campaigns
StrongPity Expand It's Target

StrongPity Expand It's Target

Promethium APT-C-41
StrongPity, also known as APT-C-41 and Promethium, is a cyber espionage group that has been active since at least 2012. The group's initial focus was on targeting individuals and organizations in Syria and Turkey, but their campaigns have since expanded to encompass a wider range of targets across Africa, Asia, Europe, and North America. The group uses various methods such as watering hole attacks and phishing messages to infiltrate targeted systems and steal sensitive information. These attacks are designed to activate the killchain, which is the sequence of actions taken by the attackers to gain access, establish control, and exfiltrate data from the targeted systems.

Indicators of Compromise

cybertik.net
networksoftwaresegment.com
hostoperationsystems.com
upeg-system-app.com
intagrefedcircuitchip.com
egov.sy
networktopologymaps.com
www.upn-sec3-msd.com
config.properties
upn-sec3-msd.com

APT Groups1

PROMETHIUMTurkey
APT-C-41PromethiumStrongPity

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Domain

ID

Name

Use

Enterprise

T1071

.001

Application Layer ProtocolWeb Protocols

StrongPity can use HTTP and HTTPS in C2 communications.

Enterprise

T1560

.003

Archive Collected DataArchive via Custom Method

StrongPity can compress and encrypt archived files into multiple .sft files with a repeated xor encryption scheme.

Enterprise

T1119

Automated Collection

StrongPity has a file searcher component that can automatically collect and archive files based on a predefined list of file extensions.

Enterprise

T1020

Automated Exfiltration

StrongPity can automatically exfiltrate collected documents to the C2 server.

Enterprise

T1547

.001

Boot or Logon Autostart ExecutionRegistry Run Keys / Startup Folder

StrongPity can use the HKCU\Software\Microsoft\Windows\CurrentVersion\Run Registry key for persistence.

Enterprise

T1059

.001

Command and Scripting InterpreterPowerShell

StrongPity can use PowerShell to add files to the Windows Defender exclusions list.

Enterprise

T1543

.003

Create or Modify System ProcessWindows Service

StrongPity has created new services and modified existing services for persistence.

Enterprise

T1573

.002

Encrypted ChannelAsymmetric Cryptography

StrongPity has encrypted C2 traffic using SSL/TLS.

Enterprise

T1041

Exfiltration Over C2 Channel

StrongPity can exfiltrate collected documents through C2 channels.

Enterprise

T1083

File and Directory Discovery

StrongPity can parse the hard drive on a compromised host to identify specific file extensions.

Enterprise

T1564

.003

Hide ArtifactsHidden Window

StrongPity has the ability to hide the console window for its document search module from the user.

Enterprise

T1562

.001

Impair DefensesDisable or Modify Tools

StrongPity can add directories used by the malware to the Windows Defender exclusions list to prevent detection.

Enterprise

T1070

.004

Indicator RemovalFile Deletion

StrongPity can delete previously exfiltrated files from the compromised host.

Enterprise

T1105

Ingress Tool Transfer

StrongPity can download files to specified targets.

Enterprise

T1036

.004

MasqueradingMasquerade Task or Service

StrongPity has named services to appear legitimate.

.005

MasqueradingMatch Legitimate Name or Location

StrongPity has been bundled with legitimate software installation files for disguise.

Enterprise

T1571

Non-Standard Port

StrongPity has used HTTPS over port 1402 in C2 communication.

Enterprise

T1027

Obfuscated Files or Information

StrongPity has used encrypted strings in its dropper component.

Enterprise

T1057

Process Discovery

StrongPity can determine if a user is logged in by checking to see if explorer.exe is running.

Enterprise

T1090

.003

ProxyMulti-hop Proxy

StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.

Enterprise

T1518

.001

Software DiscoverySecurity Software Discovery

StrongPity can identify if ESET or BitDefender antivirus are installed before dropping its payload.

Enterprise

T1553

.002

Subvert Trust ControlsCode Signing

StrongPity has been signed with self-signed certificates.

Enterprise

T1082

System Information Discovery

StrongPity can identify the hard disk volume serial number on a compromised host.

Enterprise

T1016

System Network Configuration Discovery

StrongPity can identify the IP address of a compromised host.

Enterprise

T1569

.002

System ServicesService Execution

StrongPity can install a service to execute itself as a service.

Enterprise

T1204

.002

User ExecutionMalicious File

StrongPity has been executed via compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.

Reports & References2

Observed Countries13

BE (175)
CA (209)
DE (44)
DZ (124)
FR (723)
IN (204)
IT (421)
NL (995)
PL (334)
RU (353)
SY (813)
TR (907)
US (519)