PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f)

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f)	Microsoft Activity Group actor	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	1
PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f)	Microsoft Activity Group actor	PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650)	Threat Actor	1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	2
Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad)	Malware	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650)	Threat Actor	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c)	Intrusion Set	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a)	Attack Pattern	Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174)	Malware	3
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf)	Attack Pattern	Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	3
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	4
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	4
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	4