
StrongPity Expand It's Target
Indicators of Compromise
APT Groups1
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
|
Domain |
ID |
Name |
Use |
|
|
Enterprise |
T1071 |
.001 |
StrongPity can use HTTP and HTTPS in C2 communications. |
|
|
Enterprise |
StrongPity can compress and encrypt archived files into multiple .sft files with a repeated xor encryption scheme. |
|||
|
Enterprise |
StrongPity has a file searcher component that can automatically collect and archive files based on a predefined list of file extensions. |
|||
|
Enterprise |
StrongPity can automatically exfiltrate collected documents to the C2 server. |
|||
|
Enterprise |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
StrongPity can use the HKCU\Software\Microsoft\Windows\CurrentVersion\Run Registry key for persistence. |
||
|
Enterprise |
StrongPity can use PowerShell to add files to the Windows Defender exclusions list. |
|||
|
Enterprise |
StrongPity has created new services and modified existing services for persistence. |
|||
|
Enterprise |
StrongPity has encrypted C2 traffic using SSL/TLS. |
|||
|
Enterprise |
StrongPity can exfiltrate collected documents through C2 channels. |
|||
|
Enterprise |
StrongPity can parse the hard drive on a compromised host to identify specific file extensions. |
|||
|
Enterprise |
StrongPity has the ability to hide the console window for its document search module from the user. |
|||
|
Enterprise |
StrongPity can add directories used by the malware to the Windows Defender exclusions list to prevent detection. |
|||
|
Enterprise |
StrongPity can delete previously exfiltrated files from the compromised host. |
|||
|
Enterprise |
StrongPity can download files to specified targets. |
|||
|
Enterprise |
StrongPity has named services to appear legitimate. |
|||
|
StrongPity has been bundled with legitimate software installation files for disguise. |
||||
|
Enterprise |
StrongPity has used HTTPS over port 1402 in C2 communication. |
|||
|
Enterprise |
StrongPity has used encrypted strings in its dropper component. |
|||
|
Enterprise |
StrongPity can determine if a user is logged in by checking to see if explorer.exe is running. |
|||
|
Enterprise |
StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure. |
|||
|
Enterprise |
StrongPity can identify if ESET or BitDefender antivirus are installed before dropping its payload. |
|||
|
Enterprise |
StrongPity has been signed with self-signed certificates. |
|||
|
Enterprise |
StrongPity can identify the hard disk volume serial number on a compromised host. |
|||
|
Enterprise |
StrongPity can identify the IP address of a compromised host. |
|||
|
Enterprise |
StrongPity can install a service to execute itself as a service. |
|||
|
Enterprise |
StrongPity has been executed via compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities. |
|||