S0178 Truvasys
Truvasys is first-stage malware that has been used by PROMETHIUM. It is a collection of modules written in the Delphi programming language. 1 2 3
| Item | Value |
|---|---|
| ID | S0178 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 16 January 2018 |
| Last Modified | 18 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Truvasys adds a Registry Run key to establish persistence.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | To establish persistence, Truvasys adds a Registry Run key with a value “TaskMgr” in an attempt to masquerade as the legitimate Windows Task Manager.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0056 | PROMETHIUM | 23 |
References
-
Microsoft. (2017, September 15). Backdoor:Win32/Truvasys.A!dha. Retrieved November 30, 2017. ↩↩↩
-
Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017. ↩↩
-
Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. ↩↩