PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f)

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f)	Microsoft Activity Group actor	1
PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f)	Microsoft Activity Group actor	PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650)	Threat Actor	1
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650)	Threat Actor	2
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad)	Malware	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf)	Attack Pattern	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	3
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	3
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a)	Attack Pattern	Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	3
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad)	Malware	3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	4
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	4
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	4