G0056 PROMETHIUM
PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.123
| Item | Value |
|---|---|
| ID | G0056 |
| Associated Names | StrongPity |
| Version | 2.0 |
| Created | 16 January 2018 |
| Last Modified | 22 October 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| StrongPity | The name StrongPity has also been used to describe the group and the malware used by the group.43 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | PROMETHIUM has used Registry run keys to establish persistence.3 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | PROMETHIUM has created new services and modified existing services for persistence.4 |
| enterprise | T1587 | Develop Capabilities | - |
| enterprise | T1587.002 | Code Signing Certificates | PROMETHIUM has created self-signed certificates to sign malicious installers.4 |
| enterprise | T1587.003 | Digital Certificates | PROMETHIUM has created self-signed digital certificates for use in HTTPS C2 traffic.3 |
| enterprise | T1189 | Drive-by Compromise | PROMETHIUM has used watering hole attacks to deliver malicious versions of legitimate installers.4 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | PROMETHIUM has named services to appear legitimate.34 |
| enterprise | T1036.005 | Match Legitimate Name or Location | PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.34 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | PROMETHIUM has signed code with self-signed certificates.4 |
| enterprise | T1205 | Traffic Signaling | - |
| enterprise | T1205.001 | Port Knocking | PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.4 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | PROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.34 |
| enterprise | T1078 | Valid Accounts | - |
| enterprise | T1078.003 | Local Accounts | PROMETHIUM has created admin accounts on a compromised host.4 |
Software
References
-
Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017. ↩↩
-
Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. ↩↩
-
Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. ↩↩↩↩↩↩↩↩
-
Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. ↩↩↩↩↩↩↩↩↩↩↩