StrongPity

Malware updated 6 months ago (2024-05-04T18:45:06.303Z)
Download STIX
Preview STIX
StrongPity is a malicious software (malware) that infiltrates computer systems, typically through suspicious downloads, emails, or websites. The malware has been active for over a decade and is possibly linked to the Turkish government. It's designed to exploit and damage systems, steal personal information, disrupt operations, and potentially hold data hostage. There was a significant increase in StrongPity's activity at the beginning of the year, particularly in January and March. This malware has affected numerous countries, with recent expansions into Algeria, Lebanon, Armenia, and Iran. Despite consistent targeting, infrastructure, and infection vectors, there has been a noticeable change in the documents the malware attempts to exfiltrate. In 2020, a new version of the StrongPity implant, known as StrongPity4, was discovered. This variant appeared more advanced than its predecessors and was detected in a small number of victims in Egypt, Syria, and Turkey. Furthermore, new variants of loaders used to initiate the main StrongPity implants were also identified. These many different versions, coupled with hardcoded domains, suggest the use of a tool like a Builder to generate the binaries. Notably, if a victim grants the malicious StrongPity app accessibility services, one of its modules can access incoming notifications and exfiltrate communication from several apps, including Viber, Skype, Gmail, Messenger, and Tinder. The deployment method of StrongPity has drawn comparisons to other cyberespionage campaigns, such as Turla—a campaign linked to the Russian security services. Like Turla, StrongPity has reportedly trojanized software installers at the Internet Service Provider (ISP) level. This approach suggests a high level of sophistication and resourcefulness. However, there are indications that StrongPity may not have fully thought through some aspects of its operation. For example, it appears that StrongPity hasn't obtained its own API ID based on Telegram's error documentation, which could potentially limit its effectiveness. Regardless, the malware remains a significant threat, with Turla, StrongPity, Winnti, OceanLotus, and WildNeutron identified as the most active based on malware detections.
Description last updated: 2024-03-14T09:52:58.140Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Turla is a possible alias for StrongPity. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Android
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The threatActor Wildneutron is associated with StrongPity. Unspecified
2
Source Document References
Information about the StrongPity Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Fortinet
a year ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
Checkpoint
2 years ago
ESET
2 years ago