Skip to content

S0491 StrongPity

StrongPity is an information stealing malware used by PROMETHIUM.12

Item Value
ID S0491
Associated Names
Version 1.0
Created 20 July 2020
Last Modified 15 October 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols StrongPity can use HTTP and HTTPS in C2 communications.21
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method StrongPity can compress and encrypt archived files into multiple .sft files with a repeated xor encryption scheme.21
enterprise T1119 Automated Collection StrongPity has a file searcher component that can automatically collect and archive files based on a predefined list of file extensions.1
enterprise T1020 Automated Exfiltration StrongPity can automatically exfiltrate collected documents to the C2 server.21
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder StrongPity can use the HKCU\Software\Microsoft\Windows\CurrentVersion\Run Registry key for persistence.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell StrongPity can use PowerShell to add files to the Windows Defender exclusions list.2
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service StrongPity has created new services and modified existing services for persistence.2
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography StrongPity has encrypted C2 traffic using SSL/TLS.2
enterprise T1041 Exfiltration Over C2 Channel StrongPity can exfiltrate collected documents through C2 channels.21
enterprise T1083 File and Directory Discovery StrongPity can parse the hard drive on a compromised host to identify specific file extensions.2
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window StrongPity has the ability to hide the console window for its document search module from the user.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools StrongPity can add directories used by the malware to the Windows Defender exclusions list to prevent detection.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion StrongPity can delete previously exfiltrated files from the compromised host.21
enterprise T1105 Ingress Tool Transfer StrongPity can download files to specified targets.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service StrongPity has named services to appear legitimate.21
enterprise T1036.005 Match Legitimate Name or Location StrongPity has been bundled with legitimate software installation files for disguise.2
enterprise T1571 Non-Standard Port
StrongPity has used HTTPS over port 1402 in C2 communication.1
enterprise T1027 Obfuscated Files or Information StrongPity has used encrypted strings in its dropper component.21
enterprise T1057 Process Discovery StrongPity can determine if a user is logged in by checking to see if explorer.exe is running.2
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery StrongPity can identify if ESET or BitDefender antivirus are installed before dropping its payload.2
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing StrongPity has been signed with self-signed certificates.1
enterprise T1082 System Information Discovery StrongPity can identify the hard disk volume serial number on a compromised host.2
enterprise T1016 System Network Configuration Discovery StrongPity can identify the IP address of a compromised host.2
enterprise T1569 System Services -
enterprise T1569.002 Service Execution StrongPity can install a service to execute itself as a service.21
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File StrongPity has been executed via compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.21

Groups That Use This Software

ID Name References