Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа PROMETHIUM
Риски
Каталоги
MITRE ATT&CK
Преступная группа
PROMETHIUM
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

PROMETHIUM

PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium June 2020)
ID: G0056
Associated Groups: StrongPity
Version: 2.1
Created: 16 Jan 2018
Last Modified: 19 Apr 2024

Associated Group Descriptions
Name Description
StrongPity The name StrongPity has also been used to describe the group and the malware used by the group.(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)

Techniques Used
Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PROMETHIUM has used Registry run keys to establish persistence.(Citation: Talos Promethium June 2020)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

PROMETHIUM has created new services and modified existing services for persistence.(Citation: Bitdefender StrongPity June 2020)
Enterprise T1587 .002 Develop Capabilities: Code Signing Certificates

PROMETHIUM has created self-signed certificates to sign malicious installers.(Citation: Bitdefender StrongPity June 2020)
.003 Develop Capabilities: Digital Certificates

PROMETHIUM has created self-signed digital certificates for use in HTTPS C2 traffic.(Citation: Talos Promethium June 2020)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

PROMETHIUM has named services to appear legitimate.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)
.005 Masquerading: Match Legitimate Resource Name or Location

PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

PROMETHIUM has signed code with self-signed certificates.(Citation: Bitdefender StrongPity June 2020)
Enterprise T1205 .001 Traffic Signaling: Port Knocking

PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.(Citation: Bitdefender StrongPity June 2020)
Enterprise T1204 .002 User Execution: Malicious File

PROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)
Enterprise T1078 .003 Valid Accounts: Local Accounts

PROMETHIUM has created admin accounts on a compromised host.(Citation: Bitdefender StrongPity June 2020)

Software
ID Name References Techniques
S0491 StrongPity (Citation: Bitdefender StrongPity June 2020) (Citation: Talos Promethium June 2020) Encrypted/Encoded File, Archive via Custom Method, Match Legitimate Resource Name or Location, Malicious File, Windows Service, Automated Collection, Code Signing, System Information Discovery, System Network Configuration Discovery, Automated Exfiltration, File and Directory Discovery, Masquerade Task or Service, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Registry Run Keys / Startup Folder, Multi-hop Proxy, Disable or Modify Tools, Non-Standard Port, Asymmetric Cryptography, Security Software Discovery, Hidden Window, File Deletion, Web Protocols, Ingress Tool Transfer, Service Execution
S0178 Truvasys (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21) (Citation: Microsoft Win Defender Truvasys Sep 2017) Masquerade Task or Service, Registry Run Keys / Startup Folder

References

  1. Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.
  2. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  3. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  4. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.