Request a Demo
Rewterz
Rewterz Threat Alert – TA505 Active Again – IoCs
July 1, 2020
Rewterz
Rewterz Threat Alert – Trickbot – IoCs
July 1, 2020

Rewterz threat Alert – Promethium’s StrongPity3 Targeting New Victims

Severity

High

Analysis Summary

PROMETHIUM threat actors have been expanding attempts to infect new targets most likely in Colombia, India, Canada, and Vietnam with its StrongPity3 malware. Using four trojanized setup files, the group is distributing malware via Firefox, VPNpro, DriverPack, and 5kPlayer. The attack vector is not known presently; however, given the nature of the trojanized files, the initial vector could be a watering hole or in-path interception. The trojanized files install the malicious files as well as the legitimate files to, seemingly, obfuscate the installation of said malicious files. Additionally, the files will alter Windows Defender to allow the dropping of the malicious files while preventing detection. The malware has the capability to exfiltrate any Microsoft Office files it finds. Differences between StrongPity2 (SP2) and StrongPity3 (SP3) are few. First, SP3 no longer uses libcurl and only uses winhttp to communicate with its C2 node(s). Additionally, persistence, which was accomplished via registry key entry, is now done via created service. This service changes its name from package to package.

Impact

  • Data exfiltration
  • Detection evasion
  • Security Bypass

Indicators of Compromise

Domain Name

  • state-awe3-apt[.]com
  • hostoperationsystems[.]com
  • cdn2-system3-secrv[.]com
  • ms6-upload-serv3[.]com
  • update5-sec3-system[.]com
  • upd8-sys2-apt[.]com
  • mentiononecommon[.]com
  • safecopydisk[.]com
  • network-msx-system33[.]com
  • upd32-secure-serv4[.]com
  • mailtransfersagents[.]com
  • secure-upd21-app2[.]com
  • syse-update-app4[.]com
  • app-system2-update[.]com
  • mx3-rewc-state[.]com
  • fileservingpro[.]com
  • inhousesoftwaredevelopment[.]com
  • system2-cdn5-mx8[.]com
  • upd-ncx4-server[.]com
  • apt5-secure3-state[.]com
  • file3-netwk-system[.]com
  • upd3-srv-system-app[.]com
  • system2-access-sec43[.]com
  • service-net2-file[.]com
  • updt-servc-app2[.]com
  • ms-sys-security[.]com
  • ms21-app3-upload[.]com
  • awe232-service-app[.]com

SHA-256

  • 84942df440c892c1e63aff41d9fe4694ea4b8a9102c62faf07c4510671abef13
  • c59544a76fd425b76d7d9b4805d817c8a91a6a63c9862200c927e27efcd20bfa
  • bdbc514e274d70e260620d9b7dcfc3ee4cf4eb321474dfbd1eb81d2f17cebc23
  • b75fbe3b21d83e2000928349d1610f292e1a4c072fd0454309fe1c6c7d85ff46
  • 5cb8f86e03a544531d972e132c81d6785b66dd1b15b6c35a0a04fd83a8bed695
  • f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4
  • 783b3c61a4069f0325f3560ab9664ff5fb381f37b08a3d4eb4866ba6bc194135
  • 3e58d7efc5e03bd06f227041e5c73f4ecfa5e35ca8419a9ff8b8571eafd34e48
  • c72bf8537fc189b81855666d7f59ad8e24011c735921a15932275757a485e7a4
  • 17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4
  • dbd6393bf96518218b4f4522aef4ffa27e517cbce7252841b86031354aec031a
  • e4135bfeda1de00c3834f7782b77fdb2811f5d07fc60f643553426d9e45b664c
  • dd40b8ddb5a5795536a65cc0ab6dcc84862d4e14965cde6b4e9ad2b89a0e3905
  • e80034618538abc1c86a7021ab869c4ce63429d35adbaf8c07ce25f297a61bd2
  • 3ce08ada9cf964789ce70fd2637ded197ac5b154e0b71e9cdb4d99de7ab52267
  • 02d68d2a9b62d1fd79c80e7c01182d18966a8fccc07d997b0f4c3ef71e87910f
  • d0ee66f8be0ed721774391365604de70dda4751213a667812e4c4a661f71559d
  • 80ad6598f6e0b7c2b7258cbb69aa782dbcac308ca3d9d451b9bb5290b943a58f
  • 5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f
  • 2c3b3c085b3992ab105bbc4696391f4f81374c54bb8966e53d2b2de8b7648681
  • 2b62a469fa9737dabc52840a741a7d71c86c74bd6909c30cb481e2d66e0df75e
  • 835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416
  • 3165650b667f315eae56895ee2041ffb17f89a92b034efd045f5e88bf788016d
  • fad11a279c6fe195f8110702f962c5296015344da17919b361f73f7f504063ca
  • 3feb6ecbc3b5f4ef64cf974fc117e58ac750188c483c488dd5b5970263bfdb0e
  • 5b5b0a0ff8e5bdf11657e0134a638a818e31af9517e5feffea247eaa2660ee23
  • 4282ac2c4b38f2fa79b3f77f9af80053befb69634f8e93d9e1941a600ae08857
  • c790e1916a475fbc18e7f239acf0d9399234cf2160529ba25ab44179674d549a
  • 154f3f4338184bc113dc874de6270a025d6d9c3d2a989f2b32d7d90fa222e0c9
  • 211aae5346741680cb921d73e2833368cd0f0cc36e15b16115599554dcb2386d
  • 2ed2553ec6efdf24266be1eb812ab1978ec926d1b8bf281a547be2e43173eeee
  • d63533bb200525a0a88a68c592c8d4f534fcf83b0acf8ec6be24b7059b0352ae
  • a6298a1b8c9844764c731327bb1daa7abd50cd85b9f5556e38bd5c88b8184cc4
  • 8e670fc7e22d0fa3eb96262686bd7eec18f81e3dc1eb9b55526078ffd9ae00c3
  • b06ab1f3abf8262f32c3deab9d344d241e4203235043fe996cb499ed2fdf17c4
  • 55e83292bd9a1f843639bfb98648a40b931a9829d62e6b23904034c417ffa430
  • 24e8f4917bb3cf7d6fd91fc1c95e978ea75a0e6da9033911e48b0fda94be62af
  • e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899
  • a4377256776becf75f0f61874cfec3729e17e894f5c9fc1576321f0398142878
  • ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372
  • a1ce1b78cc1a9d6092b086f2d0796cde519033ec0935d9cecdea86b6cda87882
  • 55b0bc3b61ee76561ffaa1323fd20a9522e786bfa5eadbba621582ad529ff9e1
  • c1787de8b5a293197582000d8b94095d8377a5d42aa0b4940a7039cbf4df4b72
  • 11849a6fcb76267676532422db4e9bf4f5c8c525fea0d950f844736bedb8b53e
  • b1916e7de11e87fa45c222d0532955e781f6695ae0ee15775894d3b3aa72ba98
  • 68f5819687e8f410dea315f32cd04e33ca7c3ec62e9bb9bae9e03b5ded29970e
  • c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5
  • a83a882fbe094f4d00a8dc589869adc8a1432a966295fa0c46c2afcced3aac1f
  • 2ab2a6e863538b162b0c7b4287b3e9f65116a9ad9efce6ebb9018c69bbf71460
  • ea750383d3af605e5cdf2647b9cd30886aa8a428b3bcf6bc96cc178c9afa78d9
  • b4548a933d5a59d096d75ad4c6aec1046017a62ca2a1d59edd2d97d760dca1eb
  • 03c314990a8d262530f114092c85fd9ddcbd8c423f8bd769864809d1af2f5fad
  • b1413688f6452b07129e5182311c7efd628bb795613c23fc58c4202e38dda4e7
  • 8e3993583cd2506ccbac4b247949ddee7d6971432576a0f9c485f9f0942054ae
  • f1a3c2bd241e09f4e98ca15c0d3d804297086c84883d81bb8b74960c6e986555
  • 44ba0bfe401a07f4570fd3ca26f5955350ac831a21326face55465f8d9a7ec52
  • 418203a531ceb1f08a21b354bc0d3bf8f157c76b521495c29639d7bffa416b38
  • 2a7898573bd8be121eda249e7521efd2d599354d51fabae7edafef9d60dae8b1
  • 40e99d0dfc27c66170ed57610a1c3cc9a0b6e87a0d544d739f828f10faf2758b
  • ff8b71b7e9b320d272babb15324b7417f182313f71c4af0b9961424a12154b66
  • 3a96f09255af4eb1d3fe3ea6dd4befc71543ef317b1d9f9561255a725eb48a62
  • fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a
  • bac8489de573f614d988097e9eae53ffc2eb4e7dcb0e68c349f549a26d2130a8
  • 89f1a82f4919db731cc4a5c5a71fbe1a9a1d362b6da61b018c89ea2cd26c0de3
  • c2c333a5f46eb5894f05f3323ab8aea87b3c2e9ba0221c28dcf46b0842592ac6
  • 6f0b9fdc7edf43a9d1262263320e623a7e2b349f54185491262fe5184413222f
  • 6684c2348d205962d41977b2db6263733809b635cdc039447373c34e04d6bc20
  • ed2aa3272db6eebedcabbb3c61cb699e6ec5d91b4297b8a6186a03f5b4999a80
  • 18c6224decd141a6412f3d2aa71dbd086e9a71bd51b3baed1cb2b2715d676872
  • d77901484e91445d8d11b82ff487b9e56b48930fe3086e5858ea754e9f490c1f
  • d912445a5e8beda7e842756fd6e598d91ef0526c913a6f1e6135957f19fa64ca
  • fa71584f27f5eacca9f3d5644fd06ccebcc14b8394efeaccd38259f8382c26e5
  • 586fc08567a69f4abbafd05c98be469dfaaa9b93eaccc5043dcf22d2b666bf63
  • fbd66a4f385e8c573c51c19a49c7e9c2ffa1639f4648721591b7ea0af845a313
  • e26a76def39740596843a57c3edcfe9f5000af5f5b538215a5799db58f41fe33
  • fcfd34f99b0a5f4bb91c0d6eaa9b2fdcc3bf9b3dd594213a389a056828a537c1
  • f694f02ee26d544ad41f543ecd166bd71d02b3723b8a5ee515a9c2944a667971
  • 12e670dc36ac50e86a58f759fa4a5de25e574227a19e1942aaa788c82540a910
  • e8e2f7538530b6ea3f4726b13bf76c4e0696cdaf1a0547294b447c21df1c594d
  • 4ee465d58613c03c15c0e92728bba76a065149d4773a1ce59c76d414d70fb190
  • 4235f33576b503faacbafb1b612f5fdf91fb406e73964f61064f232bd2b9c21c
  • d8d0c3854c54e2bacb40ead54d94268dda6ea6aef1ac1f78b8d10b990a4441a2
  • 39cf2459a85f9b8bcc81233964e05dec3f5ec9e8de74329f995c6a0cc8a8db36
  • dd812ba2bc5f441d8a9594443040f8fea7e3f91bdf1dd1968bbbbc7747e0bc68
  • e4c55a5b1c07d93b2ae956f7404279c1a68344e7d27e6a3aa917c79c17f7fa05
  • 2ee74ceaa5964cf223aefb3cf4e0c25ea96c7d4bc0eba48439716e763d2f3837
  • 65041a83c88ba90e489de8ac275688815c51b93ae568c627b74fc160d2db6bab
  • 7ae0aa490bad2fa152cd097caaaebfcef7a393a74e886a02b22109b38a4d9fc4
  • e843af007ac3f58e26d5427e537cdbddf33d118c79dfed831eee1ffcce474569
  • 1af0958f8590b626bedfcd1972cd3ea49d9576db86f1e768e5520f9615d01a19
  • cac5c0da0b4495a1dee326e4259fb8bcdecb162a780d0d215ad33e751ebbff34
  • c94e52455826c63a8800e6a66d72db467e1266f3b06aabbaad14c0d7463ee266
  • bb4628f0b29d906f1ec4c41a5fe5f7fe1b53432b765d5ef0a560e8d2ef5e5541
  • 6d4af9f7e14e1ae7f871cd0bcdd87927cde8d236fd9d37e76554729abe3e31e4
  • 6424307ea25f1889e4b9fb8a64d860e42681cddf71a5a70af7963ab282225c8d
  • dbf3e5bb9b7b5806d831617fbeed088d56fc2f5794a833d24eff96c165ba417b
  • 64a448ee194fe58c8c212faa4fbe737f8088ef387cc4551a0f1d86e9d4bdab02
  • 9ce65cced9949cef6b69f86542533e653b91ce7d43cb6b51e8ae402b6dadf651
  • 61f8dc6d618572a86bd0b646d16186bb6b0fff970947a7df754add4f65ec8625
  • 91e20fb663b1809279666fb1e7ef7bd8da42ae51e0c05b51515ba851e2a991ac
  • d40a3503a960663187a83f560e94563cd11606a610a4b176b0ac065af037f175
  • 7c195b85528b3ed75672fbcea0d32a2f45d541cf8c71e855b03d6266a8facdc0

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files from random sources.
  • Keep all software and browsers updated to latest patched versions.
  • Only download software from authentic and official sources.