PROMETHIUM
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| StrongPity | The name StrongPity has also been used to describe the group and the malware used by the group.(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
PROMETHIUM has used Registry run keys to establish persistence.(Citation: Talos Promethium June 2020) |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
PROMETHIUM has created new services and modified existing services for persistence.(Citation: Bitdefender StrongPity June 2020) |
| Enterprise | T1587 | .002 | Develop Capabilities: Code Signing Certificates |
PROMETHIUM has created self-signed certificates to sign malicious installers.(Citation: Bitdefender StrongPity June 2020) |
| .003 | Develop Capabilities: Digital Certificates |
PROMETHIUM has created self-signed digital certificates for use in HTTPS C2 traffic.(Citation: Talos Promethium June 2020) |
||
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
PROMETHIUM has named services to appear legitimate.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020) |
| .005 | Masquerading: Match Legitimate Name or Location |
PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020) |
||
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
PROMETHIUM has signed code with self-signed certificates.(Citation: Bitdefender StrongPity June 2020) |
| Enterprise | T1205 | .001 | Traffic Signaling: Port Knocking |
PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.(Citation: Bitdefender StrongPity June 2020) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
PROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020) |
| Enterprise | T1078 | .003 | Valid Accounts: Local Accounts |
PROMETHIUM has created admin accounts on a compromised host.(Citation: Bitdefender StrongPity June 2020) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S0491 | StrongPity | (Citation: Bitdefender StrongPity June 2020) (Citation: Talos Promethium June 2020) | Automated Exfiltration, Hidden Window, Non-Standard Port, System Network Configuration Discovery, Exfiltration Over C2 Channel, Archive via Custom Method, Masquerade Task or Service, Obfuscated Files or Information, Disable or Modify Tools, Malicious File, Web Protocols, File Deletion, Security Software Discovery, File and Directory Discovery, Automated Collection, PowerShell, Windows Service, Asymmetric Cryptography, System Information Discovery, Multi-hop Proxy, Ingress Tool Transfer, Registry Run Keys / Startup Folder, Process Discovery, Service Execution, Code Signing, Match Legitimate Name or Location |
| S0178 | Truvasys | (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21) (Citation: Microsoft Win Defender Truvasys Sep 2017) | Registry Run Keys / Startup Folder, Masquerade Task or Service |
References
- Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
- Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
- Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.
- Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.