Skip to content

Hide Navigation Hide TOC

PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f)

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

Cluster A Galaxy A Cluster B Galaxy B Level
PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f) Microsoft Activity Group actor PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650) Threat Actor 1
PROMETHIUM (5744f91a-d2d8-4f92-920f-943dd80c578f) Microsoft Activity Group actor PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 1
PROMETHIUM (43894e2a-174e-4931-94a8-2296afe8f650) Threat Actor PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad) Malware PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a) Attack Pattern 2
PROMETHIUM - G0056 (efed95ba-d7e8-47ff-8c53-99c42426ee7c) Intrusion Set StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 3
Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf) Attack Pattern Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 3
Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
Truvasys - S0178 (691c60e2-273d-4d56-9ce6-b67e0f8719ad) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 3
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 3
Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a) Attack Pattern Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern StrongPity - S0491 (20945359-3b39-4542-85ef-08ecb4e1c174) Malware 3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 4
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 4