PROMETHIUM

PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.[1][2][3]

ID: G0056
Associated Groups: StrongPity
Version: 2.0
Created: 16 January 2018
Last Modified: 22 October 2020

Associated Group Descriptions

Name Description
StrongPity

The name StrongPity has also been used to describe the group and the malware used by the group.[4][3]

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PROMETHIUM has used Registry run keys to establish persistence.[3]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

PROMETHIUM has created new services and modified existing services for persistence.[4]

Enterprise T1587 .003 Develop Capabilities: Digital Certificates

PROMETHIUM has created self-signed digital certificates for use in HTTPS C2 traffic.[3]

.002 Develop Capabilities: Code Signing Certificates

PROMETHIUM has created self-signed certificates to sign malicious installers.[4]

Enterprise T1189 Drive-by Compromise

PROMETHIUM has used watering hole attacks to deliver malicious versions of legitimate installers.[4]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.[3][4]

.004 Masquerading: Masquerade Task or Service

PROMETHIUM has named services to appear legitimate.[3][4]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

PROMETHIUM has signed code with self-signed certificates.[4]

Enterprise T1205 .001 Traffic Signaling: Port Knocking

PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.[4]

Enterprise T1204 .002 User Execution: Malicious File

PROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.[3][4]

Enterprise T1078 .003 Valid Accounts: Local Accounts

PROMETHIUM has created admin accounts on a compromised host.[4]

Software

ID Name References Techniques
S0491 StrongPity [4][3] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Custom Method, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: Hidden Window, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Masquerading: Masquerade Task or Service, Non-Standard Port, Obfuscated Files or Information, Process Discovery, Proxy: Multi-hop Proxy, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Services: Service Execution, User Execution: Malicious File
S0178 Truvasys [1][2] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Masquerading: Masquerade Task or Service

References