C0033
C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.[1]
Groups
| ID | Name | Description |
|---|---|---|
| G0056 | PROMETHIUM |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1517 | Access Notifications |
During C0033, PROMETHIUM used StrongPity to collect message notifications from 17 applications.[1] |
|
| Mobile | T1437 | .001 | Application Layer Protocol: Web Protocols |
During C0033, PROMETHIUM used StrongPity to communicate with the C2 server using HTTPS.[1] |
| Mobile | T1532 | Archive Collected Data |
During C0033, PROMETHIUM used StrongPity to exfiltrate encrypted data to the C2 server.[1] |
|
| Mobile | T1429 | Audio Capture |
During C0033, PROMETHIUM used StrongPity to record phone calls.[1] |
|
| Mobile | T1456 | Drive-By Compromise |
During C0033, PROMETHIUM distributed StrongPity through the compromised official Syrian E-Gov website.[5] |
|
| Mobile | T1521 | .001 | Encrypted Channel: Symmetric Cryptography |
During C0033, PROMETHIUM used StrongPity to encrypt C2 communication using AES.[1] |
| Mobile | T1624 | .001 | Event Triggered Execution: Broadcast Receivers |
During C0033, PROMETHIUM used StrongPity to receive the following broadcast events to establish persistence: |
| Mobile | T1646 | Exfiltration Over C2 Channel |
During C0033, PROMETHIUM used StrongPity to exfiltrate to the C2 server using HTTPS.[1][5] |
|
| Mobile | T1420 | File and Directory Discovery |
During C0033, PROMETHIUM used StrongPity to collect file lists on the victim device.[1] |
|
| Mobile | T1629 | .003 | Impair Defenses: Disable or Modify Tools |
During C0033, PROMETHIUM used StrongPity to modify permissions on a rooted device and tried to disable the SecurityLogAgent application.[1] |
| Mobile | T1544 | Ingress Tool Transfer |
During C0033, PROMETHIUM used StrongPity to receive files from the C2 and execute them via the parent application.[1] |
|
| Mobile | T1430 | Location Tracking |
During C0033, PROMETHIUM used StrongPity to access the device’s location.[1] |
|
| Mobile | T1655 | .001 | Masquerading: Match Legitimate Name or Location |
During C0033, PROMETHIUM used StrongPity on a compromised website to distribute a malicious version of a legitimate application.[5] |
| Mobile | T1406 | Obfuscated Files or Information |
During C0033, PROMETHIUM used StrongPity to obfuscate code and strings to evade detection.[1] |
|
| Mobile | T1636 | .002 | Protected User Data: Call Log |
During C0033, PROMETHIUM used StrongPity to collect call logs.[1] |
| .003 | Protected User Data: Contact List |
During C0033, PROMETHIUM used StrongPity to collect the device’s contact list.[1] |
||
| .004 | Protected User Data: SMS Messages |
During C0033, PROMETHIUM used StrongPity to collect SMS messages.[1] |
||
| Mobile | T1418 | Software Discovery |
During C0033, PROMETHIUM used StrongPity to obtain a list of installed applications.[1] |
|
| Mobile | T1426 | System Information Discovery |
During C0033, PROMETHIUM used StrongPity to collect the device’s information, such as SIM serial number, SIM serial number, etc.[1] |
|
| Mobile | T1421 | System Network Connections Discovery |
During C0033, PROMETHIUM used StrongPity to collect information regarding available Wi-Fi networks.[5] |
|
Software
| ID | Name | Description |
|---|---|---|
| S0491 | StrongPity |
References
- Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.
- Baumgartner, K. (2016, October 3). On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users. Retrieved March 28, 2024.
- Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.