PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650)

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650)	Threat Actor	1
PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f)	Microsoft Activity Group actor	PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650)	Threat Actor	1
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f)	Microsoft Activity Group actor	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad)	Malware	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf)	Attack Pattern	3
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	3
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a)	Attack Pattern	3
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad)	Malware	3
Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad)	Malware	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	4
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	4
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	4
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	4