PROMETHIUM

Introduction

PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics. Microsoft NEODYMIUM Dec 2016 Microsoft SIR Vol 21 Talos Promethium June 2020

Activities and Tactics

Country of Origin: 🇹🇷 Turkey

Risk Level: High

First Seen: 2016

Last Activity: 2016

Notable Campaigns

• C0033 (C0033): C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.(Citation: welivesec_strongpity)

Tactics, Techniques, and Procedures (TTPs)

• T1204.002 Malicious File
• T1587.002 Code Signing Certificates
• T1078.003 Local Accounts
• T1587.003 Digital Certificates
• T1547.001 Registry Run Keys / Startup Folder
• T1543.003 Windows Service
• T1036.005 Match Legitimate Resource Name or Location
• T1036.004 Masquerade Task or Service
• T1553.002 Code Signing
• T1205.001 Port Knocking
• T1189 Drive-by Compromise

ATT&CK technique IDs (denormalized)

• T1036.004
• T1036.005
• T1078.003
• T1189
• T1204.002
• T1205.001
• T1543.003
• T1547.001
• T1553.002
• T1587.002
• T1587.003

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

• Truvasys

MITRE ATT&CK Software

• Truvasys (S0178) — malware
• StrongPity (S0491) — malware

Attribution and Evidence

Country of Origin: Turkey Additional attribution information pending cataloguing.

References

[1] mitre-attack [3] Microsoft SIR Vol 21 Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. [4] Talos Promethium June 2020 Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. [5] Microsoft NEODYMIUM Dec 2016 Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017. [7] Bitdefender StrongPity June 2020 Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.