Group description: PROMETHIUM

PROMETHIUM, StrongPity, Group G0056 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups PROMETHIUM PROMETHIUM PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics. [1] [2] [3] ID: G0056 ⓘ Associated Groups : StrongPity Version : 2.1 Created: 16 January 2018 Last Modified: 19 April 2024 Version Permalink Live Version Associated Group Descriptions Name Description StrongPity The name StrongPity has also been used to describe the group and the malware used by the group. [4] [3] Campaigns ID Name First Seen Last Seen References Techniques C0033 C0033 May 2016 [5] January 2023 [6] [3] [4] Access Notifications , Application Layer Protocol : Web Protocols , Archive Collected Data , Audio Capture , Drive-By Compromise , Encrypted Channel : Symmetric Cryptography , Event Triggered Execution : Broadcast Receivers , Exfiltration Over C2 Channel , File and Directory Discovery , Impair Defenses : Disable or Modify Tools , Ingress Tool Transfer , Location Tracking , Masquerading : Match Legitimate Name or Location , Obfuscated Files or Information , Protected User Data : SMS Messages , Protected User Data : Call Log , Protected User Data : Contact List , Software Discovery , System Information Discovery , System Network Connections Discovery ATT&CK ® Navigator Layers Enterprise Layer download view Mobile Layer download view Techniques Used Domain ID Name Use Enterprise T1547 .001 Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder PROMETHIUM has used Registry run keys to establish persistence. [3] Enterprise T1543 .003 Create or Modify System Process : Windows Service PROMETHIUM has created new services and modified existing services for persistence. [4] Enterprise T1587 .002 Develop Capabilities : Code Signing Certificates PROMETHIUM has created self-signed certificates to sign malicious installers. [4] .003 Develop Capabilities : Digital Certificates PROMETHIUM has created self-signed digital certificates for use in HTTPS C2 traffic. [3] Enterprise T1189 Drive-by Compromise PROMETHIUM has used watering hole attacks to deliver malicious versions of legitimate installers. [4] Enterprise T1036 .004 Masquerading : Masquerade Task or Service PROMETHIUM has named services to appear legitimate. [3] [4] .005 Masquerading : Match Legitimate Resource Name or Location PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers. [3] [4] Enterprise T1553 .002 Subvert Trust Controls : Code Signing PROMETHIUM has signed code with self-signed certificates. [4] Enterprise T1205 .001 Traffic Signaling : Port Knocking PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports. [4] Enterprise T1204 .002 User Execution : Malicious File PROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities. [3] [4] Enterprise T1078 .003 Valid Accounts : Local Accounts PROMETHIUM has created admin accounts on a compromised host. [4] Mobile T1517 Access Notifications During C0033 , PROMETHIUM used StrongPity to collect message notifications from 17 applications. [6] Mobile T1437 .001 Application Layer Protocol : Web Protocols During C0033 , PROMETHIUM used StrongPity to communicate with the C2 server using HTTPS. [6] Mobile T1532 Archive Collected Data During C0033 , PROMETHIUM used StrongPity to exfiltrate encrypted data to the C2 server. [6] Mobile T1429 Audio Capture During C0033 , PROMETHIUM used StrongPity to record phone calls. [6] Mobile T1456 Drive-By Compromise During C0033 , PROMETHIUM distributed StrongPity through the compromised official Syrian E-Gov website. [7] Mobile T1521 .001 Encrypted Channel : Symmetric Cryptography During C0033 , PROMETHIUM used StrongPity to encrypt C2 communication using AES. [6] Mobile T1624 .001 Event Triggered Execution : Broadcast Receivers During C0033 , PROMETHIUM used StrongPity to receive the following broadcast events to establish persistence: BOOT_COMPLETED , BATTERY_LOW , USER_PRESENT , SCREEN_ON , SCREEN_OFF , or CONNECTIVITY_CHANGE . [6] Mobile T1646 Exfiltration Over C2 Channel During C0033 , PROMETHIUM used StrongPity to exfiltrate to the C2 server using HTTPS. [6] [7] Mobile T1420 File and Directory Discovery During C0033 , PROMETHIUM used StrongPity to collect file lists on the victim device. [6] Mobile T1629 .003 Impair Defenses : Disable or Modify Tools During C0033 , PROMETHIUM used StrongPity to modify permissions on a rooted device and tried to disable the SecurityLogAgent application. [6] Mobile T1544 Ingress Tool Transfer During C0033 , PROMETHIUM used StrongPity to receive files from the C2 and execute them via the parent application. [6] Mobile T1430 Location Tracking During C0033 , PROMETHIUM used StrongPity to access the device’s location. [6] Mobile T1655 .001 Masquerading : Match Legitimate Name or Location During C0033 , PROMETHIUM used StrongPity on a compromised website to distribute a malicious version of a legitimate application. [7] Mobile T1406 Obfuscated Files or Information During C0033 , PROMETHIUM used StrongPity to obfuscate code and strings to evade detection. [6] Mobile T1636 .002 Protected User Data : Call Log During C0033 , PROMETHIUM used StrongPity to collect call logs. [6] .003 Protected User Data : Contact List During C0033 , PROMETHIUM used StrongPity to collect the device’s contact list. [6] .004 Protected User Data : SMS Messages During C0033 , PROMETHIUM used StrongPity to collect SMS messages. [6] Mobile T1418 Software Discovery During C0033 , PROMETHIUM used StrongPity to obtain a list of installed applications. [6] Mobile T1426 System Information Discovery During C0033 , PROMETHIUM used StrongPity to collect the device’s information, such as SIM serial number, SIM serial number, etc. [6] Mobile T1421 System Network Connections Discovery During C0033 , PROMETHIUM used StrongPity to collect information regarding available Wi-Fi networks. [7] Software ID Name References Techniques S0491 StrongPity [4] [3] Application Layer Protocol : Web Protocols , Archive Collected Data : Archive via Custom Method , Automated Collection , Automated Exfiltration , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : PowerShell , Create or Modify System Process : Windows Service , Encrypted Channel : Asymmetric Cryptography , Exfiltration Over C2 Channel , File and Directory Discovery , Hide Artifacts : Hidden Window , Impair Defenses : Disable or Modify Tools , Indicator Removal : File Deletion , Ingress Tool Transfer , Local Storage Discovery , Masquerading : Masquerade Task or Service , Masquerading : Match Legitimate Resource Name or Location , Non-Standard Port , Obfuscated Files or Information : Encrypted/Encoded File , Process Discovery , Proxy : Multi-hop Proxy , Software Discovery : Security Software Discovery , Subvert Trust Controls : Code Signing , System Network Configuration Discovery , System Services : Service Execution , User Execution : Malicious File S0178 Truvasys [1] [2] Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Masquerading : Masquerade Task or Service References Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. Baumgartner, K. (2016, October 3). On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users. Retrieved March 28, 2024. Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023. Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023. × load more results