Skip to content

Hide Navigation Hide TOC

PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650)

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

Cluster A Galaxy A Cluster B Galaxy B Level
PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f) Microsoft Activity Group actor PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650) Threat Actor 1
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650) Threat Actor 1
PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f) Microsoft Activity Group actor PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a) Attack Pattern 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf) Attack Pattern 2
Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad) Malware PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 2
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a) Attack Pattern 3
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf) Attack Pattern 3
Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 3
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 3
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 4
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 4
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 4
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4