PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650)

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f)	Microsoft Activity Group actor	PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650)	Threat Actor	1
PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650)	Threat Actor	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	1
PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f)	Microsoft Activity Group actor	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad)	Malware	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	2
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	3
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad)	Malware	3
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf)	Attack Pattern	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a)	Attack Pattern	Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	4
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	4