StrongPity

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
StrongPity is a malicious software (malware) that infiltrates computer systems, typically through suspicious downloads, emails, or websites. The malware has been active for over a decade and is possibly linked to the Turkish government. It's designed to exploit and damage systems, steal personal information, disrupt operations, and potentially hold data hostage. There was a significant increase in StrongPity's activity at the beginning of the year, particularly in January and March. This malware has affected numerous countries, with recent expansions into Algeria, Lebanon, Armenia, and Iran. Despite consistent targeting, infrastructure, and infection vectors, there has been a noticeable change in the documents the malware attempts to exfiltrate. In 2020, a new version of the StrongPity implant, known as StrongPity4, was discovered. This variant appeared more advanced than its predecessors and was detected in a small number of victims in Egypt, Syria, and Turkey. Furthermore, new variants of loaders used to initiate the main StrongPity implants were also identified. These many different versions, coupled with hardcoded domains, suggest the use of a tool like a Builder to generate the binaries. Notably, if a victim grants the malicious StrongPity app accessibility services, one of its modules can access incoming notifications and exfiltrate communication from several apps, including Viber, Skype, Gmail, Messenger, and Tinder. The deployment method of StrongPity has drawn comparisons to other cyberespionage campaigns, such as Turla—a campaign linked to the Russian security services. Like Turla, StrongPity has reportedly trojanized software installers at the Internet Service Provider (ISP) level. This approach suggests a high level of sophistication and resourcefulness. However, there are indications that StrongPity may not have fully thought through some aspects of its operation. For example, it appears that StrongPity hasn't obtained its own API ID based on Telegram's error documentation, which could potentially limit its effectiveness. Regardless, the malware remains a significant threat, with Turla, StrongPity, Winnti, OceanLotus, and WildNeutron identified as the most active based on malware detections.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Turla
2
Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat
Strongpity4
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Android
Apt
Payload
Encryption
AITM
Encrypt
Telegram
Skype
Backdoor
Implant
Spyware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FinFisherUnspecified
1
FinFisher, also known as FinSpy, is a notorious malware developed by the European company FinFisher. This malicious software has been used extensively for cyber espionage, exploiting vulnerabilities in systems to infiltrate and surveil targets, often without their knowledge. The malware infects syst
DiscoUnspecified
1
DisCo is a malware that emerged as a significant threat in the cybersecurity landscape. It's a harmful program designed to exploit and damage computer systems, often infiltrating them without the user's knowledge through suspicious downloads, emails, or websites. Unlike conventional malicious softwa
ZebrocyUnspecified
1
Zebrocy is a well-documented Trojan malware that infiltrates systems to gather specific system information. Once installed, it sends the collected data to its Command and Control (C2) server via an HTTP POST request. The Zebrocy variant also captures a screenshot of the victim's host and transmits i
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WildneutronUnspecified
2
None
SofacyUnspecified
1
Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase e
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
OceanLotusUnspecified
1
OceanLotus, also known as APT32, is a threat actor suspected to be linked with Vietnam. It primarily targets foreign companies involved in manufacturing, consumer products, consulting, and hospitality sectors that are investing or planning to invest in Vietnam. The group's recent activities indicate
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the StrongPity Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Volume of targeted ransomware attacks continue to rise
CERT-EU
9 months ago
APT trends report Q3 2023
CERT-EU
a year ago
New Cyber Threat 'MoustachedBouncer' Targets Embassies in Belarus
CERT-EU
a year ago
Hackers with links to Pro-Russian groups compromised foreign embassies in Belarus, researchers say
Fortinet
a year ago
Key Findings from the 1H 2023 FortiGuard Labs Threat Report | FortiGuard Labs
MITRE
a year ago
APT Trends report Q1 2018
MITRE
a year ago
APT trends report Q1 2020
MITRE
a year ago
PROMETHIUM extends global reach with StrongPity3 APT
MITRE
a year ago
Octopus-infested seas of Central Asia
Checkpoint
a year ago
16th January – Threat Intelligence Report - Check Point Research
ESET
a year ago
StrongPity espionage campaign targeting Android users | WeLiveSecurity