C0033 C0033
C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.2
| Item | Value |
|---|---|
| ID | C0033 |
| Associated Names | |
| First Seen | May 2016 |
| Last Seen | January 2023 |
| Version | 1.0 |
| Created | 28 March 2024 |
| Last Modified | 11 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Groups
| ID | Name | References |
|---|---|---|
| G0056 | PROMETHIUM | 45 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1517 | Access Notifications | During C0033, PROMETHIUM used StrongPity to collect message notifications from 17 applications.2 |
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | During C0033, PROMETHIUM used StrongPity to communicate with the C2 server using HTTPS.2 |
| mobile | T1532 | Archive Collected Data | During C0033, PROMETHIUM used StrongPity to exfiltrate encrypted data to the C2 server.2 |
| mobile | T1429 | Audio Capture | During C0033, PROMETHIUM used StrongPity to record phone calls.2 |
| mobile | T1456 | Drive-By Compromise | During C0033, PROMETHIUM distributed StrongPity through the compromised official Syrian E-Gov website.3 |
| mobile | T1521 | Encrypted Channel | - |
| mobile | T1521.001 | Symmetric Cryptography | During C0033, PROMETHIUM used StrongPity to encrypt C2 communication using AES.2 |
| mobile | T1624 | Event Triggered Execution | - |
| mobile | T1624.001 | Broadcast Receivers | During C0033, PROMETHIUM used StrongPity to receive the following broadcast events to establish persistence: BOOT_COMPLETED, BATTERY_LOW,USER_PRESENT, SCREEN_ON, SCREEN_OFF, or CONNECTIVITY_CHANGE.2 |
| mobile | T1646 | Exfiltration Over C2 Channel | During C0033, PROMETHIUM used StrongPity to exfiltrate to the C2 server using HTTPS.23 |
| mobile | T1420 | File and Directory Discovery | During C0033, PROMETHIUM used StrongPity to collect file lists on the victim device.2 |
| mobile | T1629 | Impair Defenses | - |
| mobile | T1629.003 | Disable or Modify Tools | During C0033, PROMETHIUM used StrongPity to modify permissions on a rooted device and tried to disable the SecurityLogAgent application.2 |
| mobile | T1544 | Ingress Tool Transfer | During C0033, PROMETHIUM used StrongPity to receive files from the C2 and execute them via the parent application.2 |
| mobile | T1430 | Location Tracking | During C0033, PROMETHIUM used StrongPity to access the device’s location.2 |
| mobile | T1655 | Masquerading | - |
| mobile | T1655.001 | Match Legitimate Name or Location | During C0033, PROMETHIUM used StrongPity on a compromised website to distribute a malicious version of a legitimate application.3 |
| mobile | T1406 | Obfuscated Files or Information | During C0033, PROMETHIUM used StrongPity to obfuscate code and strings to evade detection.2 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.002 | Call Log | During C0033, PROMETHIUM used StrongPity to collect call logs.2 |
| mobile | T1636.003 | Contact List | During C0033, PROMETHIUM used StrongPity to collect the device’s contact list.2 |
| mobile | T1636.004 | SMS Messages | During C0033, PROMETHIUM used StrongPity to collect SMS messages.2 |
| mobile | T1418 | Software Discovery | During C0033, PROMETHIUM used StrongPity to obtain a list of installed applications.2 |
| mobile | T1426 | System Information Discovery | During C0033, PROMETHIUM used StrongPity to collect the device’s information, such as SIM serial number, SIM serial number, etc.2 |
| mobile | T1421 | System Network Connections Discovery | During C0033, PROMETHIUM used StrongPity to collect information regarding available Wi-Fi networks.3 |
Software
| ID | Name | Description |
|---|---|---|
| S0491 | StrongPity | 45 |
References
-
Baumgartner, K. (2016, October 3). On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users. Retrieved March 28, 2024. ↩
-
Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023. ↩↩↩↩
-
Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. ↩↩
-
Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. ↩↩