PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650)

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650)	Threat Actor	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	1
PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650)	Threat Actor	PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f)	Microsoft Activity Group actor	1
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf)	Attack Pattern	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f)	Microsoft Activity Group actor	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad)	Malware	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	2
Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a)	Attack Pattern	Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf)	Attack Pattern	3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad)	Malware	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad)	Malware	3
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	4
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	4
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4