G0056 PROMETHIUM

PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.³¹²

Item	Value
ID	G0056
Associated Names	StrongPity
Version	2.1
Created	16 January 2018
Last Modified	19 April 2024
Navigation Layer	View In ATT&CK® Navigator

Associated Group Descriptions

Name	Description
StrongPity	The name StrongPity has also been used to describe the group and the malware used by the group.⁴²

Techniques Used

Domain	ID	Name	Use
enterprise	T1547	Boot or Logon Autostart Execution	-
enterprise	T1547.001	Registry Run Keys / Startup Folder	PROMETHIUM has used Registry run keys to establish persistence.²
enterprise	T1543	Create or Modify System Process	-
enterprise	T1543.003	Windows Service	PROMETHIUM has created new services and modified existing services for persistence.⁴
enterprise	T1587	Develop Capabilities	-
enterprise	T1587.002	Code Signing Certificates	PROMETHIUM has created self-signed certificates to sign malicious installers.⁴
enterprise	T1587.003	Digital Certificates	PROMETHIUM has created self-signed digital certificates for use in HTTPS C2 traffic.²
enterprise	T1189	Drive-by Compromise	PROMETHIUM has used watering hole attacks to deliver malicious versions of legitimate installers.⁴
enterprise	T1036	Masquerading	-
enterprise	T1036.004	Masquerade Task or Service	PROMETHIUM has named services to appear legitimate.²⁴
enterprise	T1036.005	Match Legitimate Resource Name or Location	PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.²⁴
enterprise	T1553	Subvert Trust Controls	-
enterprise	T1553.002	Code Signing	PROMETHIUM has signed code with self-signed certificates.⁴
enterprise	T1205	Traffic Signaling	-
enterprise	T1205.001	Port Knocking	PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.⁴
enterprise	T1204	User Execution	-
enterprise	T1204.002	Malicious File	PROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.²⁴
enterprise	T1078	Valid Accounts	-
enterprise	T1078.003	Local Accounts	PROMETHIUM has created admin accounts on a compromised host.⁴
mobile	T1517	Access Notifications	During C0033, PROMETHIUM used StrongPity to collect message notifications from 17 applications.⁶
mobile	T1437	Application Layer Protocol	-
mobile	T1437.001	Web Protocols	During C0033, PROMETHIUM used StrongPity to communicate with the C2 server using HTTPS.⁶
mobile	T1532	Archive Collected Data	During C0033, PROMETHIUM used StrongPity to exfiltrate encrypted data to the C2 server.⁶
mobile	T1429	Audio Capture	During C0033, PROMETHIUM used StrongPity to record phone calls.⁶
mobile	T1456	Drive-By Compromise	During C0033, PROMETHIUM distributed StrongPity through the compromised official Syrian E-Gov website.⁵
mobile	T1521	Encrypted Channel	-
mobile	T1521.001	Symmetric Cryptography	During C0033, PROMETHIUM used StrongPity to encrypt C2 communication using AES.⁶
mobile	T1624	Event Triggered Execution	-
mobile	T1624.001	Broadcast Receivers	During C0033, PROMETHIUM used StrongPity to receive the following broadcast events to establish persistence: `BOOT_COMPLETED`, `BATTERY_LOW`,`USER_PRESENT`, `SCREEN_ON`, `SCREEN_OFF`, or `CONNECTIVITY_CHANGE`.⁶
mobile	T1646	Exfiltration Over C2 Channel	During C0033, PROMETHIUM used StrongPity to exfiltrate to the C2 server using HTTPS.⁶⁵
mobile	T1420	File and Directory Discovery	During C0033, PROMETHIUM used StrongPity to collect file lists on the victim device.⁶
mobile	T1629	Impair Defenses	-
mobile	T1629.003	Disable or Modify Tools	During C0033, PROMETHIUM used StrongPity to modify permissions on a rooted device and tried to disable the SecurityLogAgent application.⁶
mobile	T1544	Ingress Tool Transfer	During C0033, PROMETHIUM used StrongPity to receive files from the C2 and execute them via the parent application.⁶
mobile	T1430	Location Tracking	During C0033, PROMETHIUM used StrongPity to access the device’s location.⁶
mobile	T1655	Masquerading	-
mobile	T1655.001	Match Legitimate Name or Location	During C0033, PROMETHIUM used StrongPity on a compromised website to distribute a malicious version of a legitimate application.⁵
mobile	T1406	Obfuscated Files or Information	During C0033, PROMETHIUM used StrongPity to obfuscate code and strings to evade detection.⁶
mobile	T1636	Protected User Data	-
mobile	T1636.002	Call Log	During C0033, PROMETHIUM used StrongPity to collect call logs.⁶
mobile	T1636.003	Contact List	During C0033, PROMETHIUM used StrongPity to collect the device’s contact list.⁶
mobile	T1636.004	SMS Messages	During C0033, PROMETHIUM used StrongPity to collect SMS messages.⁶
mobile	T1418	Software Discovery	During C0033, PROMETHIUM used StrongPity to obtain a list of installed applications.⁶
mobile	T1426	System Information Discovery	During C0033, PROMETHIUM used StrongPity to collect the device’s information, such as SIM serial number, SIM serial number, etc.⁶
mobile	T1421	System Network Connections Discovery	During C0033, PROMETHIUM used StrongPity to collect information regarding available Wi-Fi networks.⁵

Software

ID	Name	References	Techniques
S0491	StrongPity	⁴²	Web Protocols:Application Layer Protocol Archive via Custom Method:Archive Collected Data Automated Collection Automated Exfiltration Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Hidden Window:Hide Artifacts Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Ingress Tool Transfer Local Storage Discovery Masquerade Task or Service:Masquerading Match Legitimate Resource Name or Location:Masquerading Non-Standard Port Encrypted/Encoded File:Obfuscated Files or Information Process Discovery Multi-hop Proxy:Proxy Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls System Network Configuration Discovery Service Execution:System Services Malicious File:User Execution
S0178	Truvasys	³¹	Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Masquerade Task or Service:Masquerading

References

Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. ↩↩
Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. ↩↩↩↩↩↩↩↩
Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017. ↩↩
Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. ↩↩↩↩↩↩↩↩↩↩↩
Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023. ↩↩↩↩
Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
Baumgartner, K. (2016, October 3). On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users. Retrieved March 28, 2024. ↩