Pulse Detail — Threat Intelligence

PULSE NAME

StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users

WHITE StrongPity AlienVault 2016-10-10 Modified: 2016-12-17

IOCs

MEDIUM VOLUME

The StrongPity APT is a technically capable group operating under the radar for several years. The group has quietly deployed zero-day in the past, effectively spearphished targets, and maintains a modular toolset. What is most interesting about this group’s more recent activity however, is their focus on users of encryption tools, peaking this summer. In particular, the focus was on Italian and Belgian users, but the StrongPity watering holes affected systems in far more locations than just those two. Adding in their creative waterholing and poisoned installer tactics, we describe the StrongPity APT as not only determined and well-resourced, but fairly reckless and innovative as well.

Indicators of Compromise (45)

All FileHash-SHA256 domain URL hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA256	31b4afde4984776efb96860c5901a85615971c9b1dcb9e8159bf33750c6c3f9e	—	2016-10-10
FileHash-SHA256	479c2293391119bca3328f5c3613e274ab1796d3f87b141dfb65929e6498703f	—	2016-10-10
FileHash-SHA256	bf97ab2a7b26ec50cb97dd88dab5de37a69145daf4ff8ee2f78b3ee93391573c	—	2016-10-10
FileHash-SHA256	6e9e300b86a357d5a49e456b61bfc4709633af91fcc16f4b35f38d68eec59a4c	—	2016-10-10
FileHash-SHA256	0a71533e5a14ed298c8a3e335b162d175ff1523f064789eae7e5ef91beb68fcd	—	2016-10-10
FileHash-SHA256	ee7f490891289c8649751382ed2fa9e84abb630f1556d9d2a664eaca0db7e340	—	2016-10-10
FileHash-SHA256	4ddf10188243373a59ae4557078e22d990d987d6974786e00d830a41bfd2da77	—	2016-10-10
FileHash-SHA256	b443d7b174f0a81dc9210a126117b5e6defcab59ab448d8451d5249542a07649	—	2016-10-10
FileHash-SHA256	57c4ecf5205d597867e927317eecdea57bc293965a544ccf030598757973a0ee	—	2016-10-10
FileHash-SHA256	86c60cbe19021dd3a61e5aa1b9c9c12b0319cb5e18db89d7a3c6ac1c72f8a2cd	—	2016-10-10
FileHash-SHA256	0f5910d47d719f85f9b9f12eb558b1e3e93f566963e52a78f7a4132e6c0f4cc9	—	2016-10-10
FileHash-SHA256	39182c49b66cdc21f29e3f847c1be0138ea81d0a1c7b000fdeeaae7909660dc8	—	2016-10-10
FileHash-SHA256	160d84a4df575da5fe9e00ffce261c943f10fbd8884c6a5d85f5c46850d7b779	—	2016-10-10
FileHash-SHA256	d8b185bf89fcbf92ed99075d249c67d6fd2af5762a894a2ed0d63406ee229755	—	2016-10-10
FileHash-SHA256	d69935641e347b5ccd2b6b3535c97fecfb74c943817379ee6aa85af57b303f11	—	2016-10-10
FileHash-SHA256	9fcc093125f839c453fda1e340142dac85de0fae2332b31a38edcb60cf19d5ed	—	2016-10-10
FileHash-SHA256	c1063b58a8c4908ca51c160f8c6cafcacc870c482ca1086a498a5c026342a3e6	—	2016-10-10
domain	mytoshba.com	—	2016-10-10
domain	myrappid.com	—	2016-10-10
URL	http://ralrab.com/rar/wrar53b5.exe	—	2016-10-10
URL	http://true-crypt.com/files/TrueCrypt-7.2.exe	—	2016-10-10
URL	http://www.ralrab.com/rar/winrar-x64-531nl.exe	—	2016-10-10
URL	http://ralrab.com/rar/wrar531nl.exe	—	2016-10-10
URL	http://www.ralrab.com/rar/winrar-x64-531.exe	—	2016-10-10
URL	http://www.ralrab.com/rar/winrar-x64-531fr.exe	—	2016-10-10
URL	http://www.true-crypt.com/download/TrueCrypt-Setup-7.1a.exe	—	2016-10-10
URL	http://www.ralrab.com/rar/wrar531fr.exe	—	2016-10-10
URL	http://www.ralrab.com/rar/wrar531.exe	—	2016-10-10
URL	http://ralrab.com/rar/winrar-x64-531nl.exe	—	2016-10-10
URL	http://www.ralrab.com/rar/wrar531nl.exe	—	2016-10-10
URL	http://ralrab.com/rar/wrar531fr.exe	—	2016-10-10
URL	http://ralrab.com/rar/winrar-x64-531.exe	—	2016-10-10
hostname	www.true-crypt.com	—	2016-10-10
domain	ralrab.com	—	2016-10-10
FileHash-SHA256	15ededb19ec5ab6f03db1106d2ccdeeacacdb8cd708518d065cacb1b0d7e955d	—	2016-10-11
FileHash-SHA256	2f98ac11c78ad1b4c5c5c10a88857baf7af43acb9162e8077709db9d563bcf02	—	2016-10-11
domain	windriversupport.com	—	2016-10-11
domain	jourrapid.com	—	2016-10-11
hostname	www.true-crypte.website	—	2016-12-17
domain	truecrypte.org	—	2016-12-17
domain	updatesync.com	—	2016-12-17
domain	mynetenergy.com	—	2016-12-17
domain	svnservices.com	—	2016-12-17
domain	true-crypte.website	—	2016-12-17
domain	edicupd002.com	—	2016-12-17

References (3)

↗ https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Maptrepol.A ↗ https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/ ↗ https://www.symantec.com/security_response/writeup.jsp?docid=2016-101023-5340-99&tabid=2