Rewterz threat Alert – Promethium’s StrongPity3 Targeting New Victims

July 1, 2020

Severity

High

Analysis Summary

PROMETHIUM threat actors have been expanding attempts to infect new targets most likely in Colombia, India, Canada, and Vietnam with its StrongPity3 malware. Using four trojanized setup files, the group is distributing malware via Firefox, VPNpro, DriverPack, and 5kPlayer. The attack vector is not known presently; however, given the nature of the trojanized files, the initial vector could be a watering hole or in-path interception. The trojanized files install the malicious files as well as the legitimate files to, seemingly, obfuscate the installation of said malicious files. Additionally, the files will alter Windows Defender to allow the dropping of the malicious files while preventing detection. The malware has the capability to exfiltrate any Microsoft Office files it finds. Differences between StrongPity2 (SP2) and StrongPity3 (SP3) are few. First, SP3 no longer uses libcurl and only uses winhttp to communicate with its C2 node(s). Additionally, persistence, which was accomplished via registry key entry, is now done via created service. This service changes its name from package to package.

Impact

Data exfiltration
Detection evasion
Security Bypass

Indicators of Compromise

Domain Name

state-awe3-apt[.]com
hostoperationsystems[.]com
cdn2-system3-secrv[.]com
ms6-upload-serv3[.]com
update5-sec3-system[.]com
upd8-sys2-apt[.]com
mentiononecommon[.]com
safecopydisk[.]com
network-msx-system33[.]com
upd32-secure-serv4[.]com
mailtransfersagents[.]com
secure-upd21-app2[.]com
syse-update-app4[.]com
app-system2-update[.]com
mx3-rewc-state[.]com
fileservingpro[.]com
inhousesoftwaredevelopment[.]com
system2-cdn5-mx8[.]com
upd-ncx4-server[.]com
apt5-secure3-state[.]com
file3-netwk-system[.]com
upd3-srv-system-app[.]com
system2-access-sec43[.]com
service-net2-file[.]com
updt-servc-app2[.]com
ms-sys-security[.]com
ms21-app3-upload[.]com
awe232-service-app[.]com

SHA-256

84942df440c892c1e63aff41d9fe4694ea4b8a9102c62faf07c4510671abef13
c59544a76fd425b76d7d9b4805d817c8a91a6a63c9862200c927e27efcd20bfa
bdbc514e274d70e260620d9b7dcfc3ee4cf4eb321474dfbd1eb81d2f17cebc23
b75fbe3b21d83e2000928349d1610f292e1a4c072fd0454309fe1c6c7d85ff46
5cb8f86e03a544531d972e132c81d6785b66dd1b15b6c35a0a04fd83a8bed695
f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4
783b3c61a4069f0325f3560ab9664ff5fb381f37b08a3d4eb4866ba6bc194135
3e58d7efc5e03bd06f227041e5c73f4ecfa5e35ca8419a9ff8b8571eafd34e48
c72bf8537fc189b81855666d7f59ad8e24011c735921a15932275757a485e7a4
17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4
dbd6393bf96518218b4f4522aef4ffa27e517cbce7252841b86031354aec031a
e4135bfeda1de00c3834f7782b77fdb2811f5d07fc60f643553426d9e45b664c
dd40b8ddb5a5795536a65cc0ab6dcc84862d4e14965cde6b4e9ad2b89a0e3905
e80034618538abc1c86a7021ab869c4ce63429d35adbaf8c07ce25f297a61bd2
3ce08ada9cf964789ce70fd2637ded197ac5b154e0b71e9cdb4d99de7ab52267
02d68d2a9b62d1fd79c80e7c01182d18966a8fccc07d997b0f4c3ef71e87910f
d0ee66f8be0ed721774391365604de70dda4751213a667812e4c4a661f71559d
80ad6598f6e0b7c2b7258cbb69aa782dbcac308ca3d9d451b9bb5290b943a58f
5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f
2c3b3c085b3992ab105bbc4696391f4f81374c54bb8966e53d2b2de8b7648681
2b62a469fa9737dabc52840a741a7d71c86c74bd6909c30cb481e2d66e0df75e
835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416
3165650b667f315eae56895ee2041ffb17f89a92b034efd045f5e88bf788016d
fad11a279c6fe195f8110702f962c5296015344da17919b361f73f7f504063ca
3feb6ecbc3b5f4ef64cf974fc117e58ac750188c483c488dd5b5970263bfdb0e
5b5b0a0ff8e5bdf11657e0134a638a818e31af9517e5feffea247eaa2660ee23
4282ac2c4b38f2fa79b3f77f9af80053befb69634f8e93d9e1941a600ae08857
c790e1916a475fbc18e7f239acf0d9399234cf2160529ba25ab44179674d549a
154f3f4338184bc113dc874de6270a025d6d9c3d2a989f2b32d7d90fa222e0c9
211aae5346741680cb921d73e2833368cd0f0cc36e15b16115599554dcb2386d
2ed2553ec6efdf24266be1eb812ab1978ec926d1b8bf281a547be2e43173eeee
d63533bb200525a0a88a68c592c8d4f534fcf83b0acf8ec6be24b7059b0352ae
a6298a1b8c9844764c731327bb1daa7abd50cd85b9f5556e38bd5c88b8184cc4
8e670fc7e22d0fa3eb96262686bd7eec18f81e3dc1eb9b55526078ffd9ae00c3
b06ab1f3abf8262f32c3deab9d344d241e4203235043fe996cb499ed2fdf17c4
55e83292bd9a1f843639bfb98648a40b931a9829d62e6b23904034c417ffa430
24e8f4917bb3cf7d6fd91fc1c95e978ea75a0e6da9033911e48b0fda94be62af
e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899
a4377256776becf75f0f61874cfec3729e17e894f5c9fc1576321f0398142878
ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372
a1ce1b78cc1a9d6092b086f2d0796cde519033ec0935d9cecdea86b6cda87882
55b0bc3b61ee76561ffaa1323fd20a9522e786bfa5eadbba621582ad529ff9e1
c1787de8b5a293197582000d8b94095d8377a5d42aa0b4940a7039cbf4df4b72
11849a6fcb76267676532422db4e9bf4f5c8c525fea0d950f844736bedb8b53e
b1916e7de11e87fa45c222d0532955e781f6695ae0ee15775894d3b3aa72ba98
68f5819687e8f410dea315f32cd04e33ca7c3ec62e9bb9bae9e03b5ded29970e
c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5
a83a882fbe094f4d00a8dc589869adc8a1432a966295fa0c46c2afcced3aac1f
2ab2a6e863538b162b0c7b4287b3e9f65116a9ad9efce6ebb9018c69bbf71460
ea750383d3af605e5cdf2647b9cd30886aa8a428b3bcf6bc96cc178c9afa78d9
b4548a933d5a59d096d75ad4c6aec1046017a62ca2a1d59edd2d97d760dca1eb
03c314990a8d262530f114092c85fd9ddcbd8c423f8bd769864809d1af2f5fad
b1413688f6452b07129e5182311c7efd628bb795613c23fc58c4202e38dda4e7
8e3993583cd2506ccbac4b247949ddee7d6971432576a0f9c485f9f0942054ae
f1a3c2bd241e09f4e98ca15c0d3d804297086c84883d81bb8b74960c6e986555
44ba0bfe401a07f4570fd3ca26f5955350ac831a21326face55465f8d9a7ec52
418203a531ceb1f08a21b354bc0d3bf8f157c76b521495c29639d7bffa416b38
2a7898573bd8be121eda249e7521efd2d599354d51fabae7edafef9d60dae8b1
40e99d0dfc27c66170ed57610a1c3cc9a0b6e87a0d544d739f828f10faf2758b
ff8b71b7e9b320d272babb15324b7417f182313f71c4af0b9961424a12154b66
3a96f09255af4eb1d3fe3ea6dd4befc71543ef317b1d9f9561255a725eb48a62
fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a
bac8489de573f614d988097e9eae53ffc2eb4e7dcb0e68c349f549a26d2130a8
89f1a82f4919db731cc4a5c5a71fbe1a9a1d362b6da61b018c89ea2cd26c0de3
c2c333a5f46eb5894f05f3323ab8aea87b3c2e9ba0221c28dcf46b0842592ac6
6f0b9fdc7edf43a9d1262263320e623a7e2b349f54185491262fe5184413222f
6684c2348d205962d41977b2db6263733809b635cdc039447373c34e04d6bc20
ed2aa3272db6eebedcabbb3c61cb699e6ec5d91b4297b8a6186a03f5b4999a80
18c6224decd141a6412f3d2aa71dbd086e9a71bd51b3baed1cb2b2715d676872
d77901484e91445d8d11b82ff487b9e56b48930fe3086e5858ea754e9f490c1f
d912445a5e8beda7e842756fd6e598d91ef0526c913a6f1e6135957f19fa64ca
fa71584f27f5eacca9f3d5644fd06ccebcc14b8394efeaccd38259f8382c26e5
586fc08567a69f4abbafd05c98be469dfaaa9b93eaccc5043dcf22d2b666bf63
fbd66a4f385e8c573c51c19a49c7e9c2ffa1639f4648721591b7ea0af845a313
e26a76def39740596843a57c3edcfe9f5000af5f5b538215a5799db58f41fe33
fcfd34f99b0a5f4bb91c0d6eaa9b2fdcc3bf9b3dd594213a389a056828a537c1
f694f02ee26d544ad41f543ecd166bd71d02b3723b8a5ee515a9c2944a667971
12e670dc36ac50e86a58f759fa4a5de25e574227a19e1942aaa788c82540a910
e8e2f7538530b6ea3f4726b13bf76c4e0696cdaf1a0547294b447c21df1c594d
4ee465d58613c03c15c0e92728bba76a065149d4773a1ce59c76d414d70fb190
4235f33576b503faacbafb1b612f5fdf91fb406e73964f61064f232bd2b9c21c
d8d0c3854c54e2bacb40ead54d94268dda6ea6aef1ac1f78b8d10b990a4441a2
39cf2459a85f9b8bcc81233964e05dec3f5ec9e8de74329f995c6a0cc8a8db36
dd812ba2bc5f441d8a9594443040f8fea7e3f91bdf1dd1968bbbbc7747e0bc68
e4c55a5b1c07d93b2ae956f7404279c1a68344e7d27e6a3aa917c79c17f7fa05
2ee74ceaa5964cf223aefb3cf4e0c25ea96c7d4bc0eba48439716e763d2f3837
65041a83c88ba90e489de8ac275688815c51b93ae568c627b74fc160d2db6bab
7ae0aa490bad2fa152cd097caaaebfcef7a393a74e886a02b22109b38a4d9fc4
e843af007ac3f58e26d5427e537cdbddf33d118c79dfed831eee1ffcce474569
1af0958f8590b626bedfcd1972cd3ea49d9576db86f1e768e5520f9615d01a19
cac5c0da0b4495a1dee326e4259fb8bcdecb162a780d0d215ad33e751ebbff34
c94e52455826c63a8800e6a66d72db467e1266f3b06aabbaad14c0d7463ee266
bb4628f0b29d906f1ec4c41a5fe5f7fe1b53432b765d5ef0a560e8d2ef5e5541
6d4af9f7e14e1ae7f871cd0bcdd87927cde8d236fd9d37e76554729abe3e31e4
6424307ea25f1889e4b9fb8a64d860e42681cddf71a5a70af7963ab282225c8d
dbf3e5bb9b7b5806d831617fbeed088d56fc2f5794a833d24eff96c165ba417b
64a448ee194fe58c8c212faa4fbe737f8088ef387cc4551a0f1d86e9d4bdab02
9ce65cced9949cef6b69f86542533e653b91ce7d43cb6b51e8ae402b6dadf651
61f8dc6d618572a86bd0b646d16186bb6b0fff970947a7df754add4f65ec8625
91e20fb663b1809279666fb1e7ef7bd8da42ae51e0c05b51515ba851e2a991ac
d40a3503a960663187a83f560e94563cd11606a610a4b176b0ac065af037f175
7c195b85528b3ed75672fbcea0d32a2f45d541cf8c71e855b03d6266a8facdc0

Remediation

Block the threat indicators at their respective controls.
Do not download files from random sources.
Keep all software and browsers updated to latest patched versions.
Only download software from authentic and official sources.

Rewterz Annual Threat Intelligence Report 2024 - Download Now

Rewterz Annual Threat Intelligence Report 2024 - Download Now

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Chrome Vulnerabilities Allow Remote Execution of Malicious Code

Kimsuky APT Uses PowerShell to Execute XWorm RAT – Active IOCs

Akira Ransomware – Active IOCs

Threat Insights

About Us

Our Leadership

CSR

Connect with Us

Rewterz Threat Alert – TA505 Active Again – IoCs

Rewterz Threat Alert – Trickbot – IoCs

The Wait Is Over!

The Rewterz Annual Threat Intelligence Report 2024 is finally here.