Skip to content

G0056 PROMETHIUM

PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.123

Item Value
ID G0056
Associated Names StrongPity
Version 2.0
Created 16 January 2018
Last Modified 22 October 2020
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
StrongPity The name StrongPity has also been used to describe the group and the malware used by the group.43

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder PROMETHIUM has used Registry run keys to establish persistence.3
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service PROMETHIUM has created new services and modified existing services for persistence.4
enterprise T1587 Develop Capabilities -
enterprise T1587.002 Code Signing Certificates PROMETHIUM has created self-signed certificates to sign malicious installers.4
enterprise T1587.003 Digital Certificates PROMETHIUM has created self-signed digital certificates for use in HTTPS C2 traffic.3
enterprise T1189 Drive-by Compromise PROMETHIUM has used watering hole attacks to deliver malicious versions of legitimate installers.4
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service PROMETHIUM has named services to appear legitimate.34
enterprise T1036.005 Match Legitimate Name or Location PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.34
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing PROMETHIUM has signed code with self-signed certificates.4
enterprise T1205 Traffic Signaling -
enterprise T1205.001 Port Knocking PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.4
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File PROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.34
enterprise T1078 Valid Accounts -
enterprise T1078.003 Local Accounts PROMETHIUM has created admin accounts on a compromised host.4

Software

ID Name References Techniques
S0491 StrongPity - Web Protocols:Application Layer Protocol Archive via Custom Method:Archive Collected Data Automated Collection Automated Exfiltration Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Hidden Window:Hide Artifacts Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal on Host Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Masquerade Task or Service:Masquerading Non-Standard Port Obfuscated Files or Information Process Discovery Multi-hop Proxy:Proxy Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls System Information Discovery System Network Configuration Discovery Service Execution:System Services Malicious File:User Execution
S0178 Truvasys - Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Masquerade Task or Service:Masquerading

References

Back to top