Skip to content

Hide Navigation Hide TOC

PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f)

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

Cluster A Galaxy A Cluster B Galaxy B Level
PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f) Microsoft Activity Group actor PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 1
PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f) Microsoft Activity Group actor PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650) Threat Actor 1
Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650) Threat Actor 2
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad) Malware PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a) Attack Pattern Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern 3
Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf) Attack Pattern Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern 3
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 3
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 3
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad) Malware 3
Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 3
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 4
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 4
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 4
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 4