{ "type": "Domain", "indicator": "myrappid.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/myrappid.com", "alexa": "http://www.alexa.com/siteinfo/myrappid.com", "indicator": "myrappid.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 208648, "indicator": "myrappid.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "5a2ab96dc5ea9f6ca06a9c07", "name": "StrongPity2 spyware replaces FinFisher in MitM campaign \u2013 ISP involved?", "description": "Continuing our research into FinFisher \u2013 the infamous spyware known also as FinSpy and sold to governments and their agencies worldwide \u2013 we noticed that the FinFisher malware in our previously-documented campaign, which had strong indicators of internet service provider (ISP) involvement, had been replaced by different spyware. Detected by ESET as Win32/StrongPity2, this spyware notably resembles one that was attributed to the group called StrongPity. As well as detecting and blocking this threat, all ESET products \u2013 including the free ESET Online scanner \u2013 thoroughly clean systems compromised by StrongPity2.", "modified": "2019-07-12T14:07:27.191000", "created": "2017-12-08T16:10:21.653000", "tags": [ "finfisher", "strongpity" ], "references": [ "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/" ], "public": 1, "adversary": "StrongPity", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 64, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 2, "URL": 4, "hostname": 3, "FileHash-SHA1": 9 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 386622, "modified_text": "2515 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "57fc16b8f45e9e11bff8a16b", "name": "StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users", "description": "The StrongPity APT is a technically capable group operating under the radar for several years. The group has quietly deployed zero-day in the past, effectively spearphished targets, and maintains a modular toolset. What is most interesting about this group\u2019s more recent activity however, is their focus on users of encryption tools, peaking this summer. In particular, the focus was on Italian and Belgian users, but the StrongPity watering holes affected systems in far more locations than just those two. Adding in their creative waterholing and poisoned installer tactics, we describe the StrongPity APT as not only determined and well-resourced, but fairly reckless and innovative as well.", "modified": "2016-12-17T01:27:48.509000", "created": "2016-10-10T22:31:20.235000", "tags": [ "StrongPity", "waterhole", "waterholing", "winrar", "truecrypt", "apt", "kaspersky" ], "references": [ "https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Maptrepol.A", "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", "https://www.symantec.com/security_response/writeup.jsp?docid=2016-101023-5340-99&tabid=2" ], "public": 1, "adversary": "StrongPity", "targeted_countries": [ "Turkey", "Italy", "Belgium", "Algeria", "France" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 19, "domain": 11, "URL": 13, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 386561, "modified_text": "3452 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Maptrepol.A", "https://www.symantec.com/security_response/writeup.jsp?docid=2016-101023-5340-99&tabid=2", "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/" ], "related": { "alienvault": { "adversary": [ "StrongPity" ], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "5a2ab96dc5ea9f6ca06a9c07", "name": "StrongPity2 spyware replaces FinFisher in MitM campaign \u2013 ISP involved?", "description": "Continuing our research into FinFisher \u2013 the infamous spyware known also as FinSpy and sold to governments and their agencies worldwide \u2013 we noticed that the FinFisher malware in our previously-documented campaign, which had strong indicators of internet service provider (ISP) involvement, had been replaced by different spyware. Detected by ESET as Win32/StrongPity2, this spyware notably resembles one that was attributed to the group called StrongPity. As well as detecting and blocking this threat, all ESET products \u2013 including the free ESET Online scanner \u2013 thoroughly clean systems compromised by StrongPity2.", "modified": "2019-07-12T14:07:27.191000", "created": "2017-12-08T16:10:21.653000", "tags": [ "finfisher", "strongpity" ], "references": [ "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/" ], "public": 1, "adversary": "StrongPity", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 64, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 2, "URL": 4, "hostname": 3, "FileHash-SHA1": 9 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 386622, "modified_text": "2515 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "57fc16b8f45e9e11bff8a16b", "name": "StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users", "description": "The StrongPity APT is a technically capable group operating under the radar for several years. The group has quietly deployed zero-day in the past, effectively spearphished targets, and maintains a modular toolset. What is most interesting about this group\u2019s more recent activity however, is their focus on users of encryption tools, peaking this summer. In particular, the focus was on Italian and Belgian users, but the StrongPity watering holes affected systems in far more locations than just those two. Adding in their creative waterholing and poisoned installer tactics, we describe the StrongPity APT as not only determined and well-resourced, but fairly reckless and innovative as well.", "modified": "2016-12-17T01:27:48.509000", "created": "2016-10-10T22:31:20.235000", "tags": [ "StrongPity", "waterhole", "waterholing", "winrar", "truecrypt", "apt", "kaspersky" ], "references": [ "https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Maptrepol.A", "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", "https://www.symantec.com/security_response/writeup.jsp?docid=2016-101023-5340-99&tabid=2" ], "public": 1, "adversary": "StrongPity", "targeted_countries": [ "Turkey", "Italy", "Belgium", "Algeria", "France" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 19, "domain": 11, "URL": 13, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 386561, "modified_text": "3452 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "myrappid.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "myrappid.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780242206.487509 }