SYMBOLCOMMON_NAMEaka. SYNONYMS

PROMETHIUM  (Back to overview)

aka: StrongPity, G0056

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.


Associated Families
win.strongpity

References
2022-03-23QianxinRed Raindrop Team
@online{team:20220323:analysis:225d95b, author = {Red Raindrop Team}, title = {{Analysis of Attack Activity of PROMETHIUM Disguised}}, date = {2022-03-23}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/promethium-attack-activity-analysis-disguised-as-Winrar.exe/}, language = {Chines}, urldate = {2022-03-25} } Analysis of Attack Activity of PROMETHIUM Disguised
StrongPity
2021-12-09Minerva LabsNatalie Zargarov
@online{zargarov:20211209:new:2875937, author = {Natalie Zargarov}, title = {{A new StrongPity variant hides behind Notepad++ installation}}, date = {2021-12-09}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/a-new-strongpity-variant-hides-behind-notepad-installation}, language = {English}, urldate = {2021-12-13} } A new StrongPity variant hides behind Notepad++ installation
StrongPity
2021-11-30QianxinRed Raindrop Team
@online{team:20211130:cyberspaces:e8efd82, author = {Red Raindrop Team}, title = {{Cyberspace's Magic Eye: PROMETHIUM Fakes attack activity analysis of NotePads and installation packages}}, date = {2021-11-30}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/nQVUkIwkiQTj2pLaNYHeOA}, language = {Chinese}, urldate = {2021-12-07} } Cyberspace's Magic Eye: PROMETHIUM Fakes attack activity analysis of NotePads and installation packages
StrongPity
2021-11-05BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20211105:hunter:3c7bab9, author = {The BlackBerry Research & Intelligence Team}, title = {{Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware}}, date = {2021-11-05}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/zebra2104}, language = {English}, urldate = {2021-11-08} } Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity
2021-05-24Anchored Narratives on Threat Intelligence and GeopoliticsRJM
@online{rjm:20210524:tracking:3da0800, author = {RJM}, title = {{Tracking StrongPity with Yara}}, date = {2021-05-24}, organization = {Anchored Narratives on Threat Intelligence and Geopolitics}, url = {https://anchorednarratives.substack.com/p/tracking-strongpity-with-yara}, language = {English}, urldate = {2021-06-21} } Tracking StrongPity with Yara
StrongPity
2021-04-18Anchored Narratives on Threat Intelligence and GeopoliticsRJM
@online{rjm:20210418:recover:9b9c0a8, author = {RJM}, title = {{Recover your files with StrongPity}}, date = {2021-04-18}, organization = {Anchored Narratives on Threat Intelligence and Geopolitics}, url = {https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity}, language = {English}, urldate = {2021-05-25} } Recover your files with StrongPity
StrongPity
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2021-02-01Medium 0xthreatintel0xthreatintel
@online{0xthreatintel:20210201:uncovering:d7b9216, author = {0xthreatintel}, title = {{Uncovering APT-C-41 (StrongPity) Backdoor}}, date = {2021-02-01}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4}, language = {English}, urldate = {2021-02-02} } Uncovering APT-C-41 (StrongPity) Backdoor
StrongPity
2020-12-31cyblecybleinc
@online{cybleinc:20201231:strongpity:bb6ab94, author = {cybleinc}, title = {{StrongPity APT Extends Global Reach with New Infrastructure}}, date = {2020-12-31}, organization = {cyble}, url = {https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/}, language = {English}, urldate = {2021-01-04} } StrongPity APT Extends Global Reach with New Infrastructure
StrongPity
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-10-30360Threat Intelligence Center
@online{center:20201030:aptc41:ede60de, author = {Threat Intelligence Center}, title = {{蓝色魔眼(APT-C-41)组织首次针对我国重要机构定向攻击活动披露}}, date = {2020-10-30}, organization = {360}, url = {https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg}, language = {Chinese}, urldate = {2020-11-02} } 蓝色魔眼(APT-C-41)组织首次针对我国重要机构定向攻击活动披露
StrongPity
2020-06-30BitdefenderLiviu Arsene, Radu Tudorica, Cristina Vatamanu, Alexandru Maximciuc
@techreport{arsene:20200630:strongpity:ed365fb, author = {Liviu Arsene and Radu Tudorica and Cristina Vatamanu and Alexandru Maximciuc}, title = {{StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure}}, date = {2020-06-30}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf}, language = {English}, urldate = {2020-06-30} } StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure
StrongPity
2020-06-29Cisco TalosWarren Mercer, Paul Rascagnères, Vitor Ventura
@online{mercer:20200629:promethium:e80cd47, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{PROMETHIUM extends global reach with StrongPity3 APT}}, date = {2020-06-29}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html}, language = {English}, urldate = {2020-06-30} } PROMETHIUM extends global reach with StrongPity3 APT
StrongPity
2019MITREMITRE ATT&CK
@online{attck:2019:promethium:845588e, author = {MITRE ATT&CK}, title = {{Group description: PROMETHIUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0056/}, language = {English}, urldate = {2019-12-20} } Group description: PROMETHIUM
PROMETHIUM
2019MITREMITRE ATT&CK
@online{attck:2019:neodymium:2979fa4, author = {MITRE ATT&CK}, title = {{Group description: NEODYMIUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0055/}, language = {English}, urldate = {2019-12-20} } Group description: NEODYMIUM
NEODYMIUM PROMETHIUM
2018-03-09Bill Marczak, Jakub Dalek, Sarah McKune, Adam Senft, John Scott-Railton, Ron Deibert
@online{marczak:20180309:sandvines:14ef912, author = {Bill Marczak and Jakub Dalek and Sarah McKune and Adam Senft and John Scott-Railton and Ron Deibert}, title = {{Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?}}, date = {2018-03-09}, url = {https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/}, language = {English}, urldate = {2020-01-05} } Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?
StrongPity
2017-12-08ESET ResearchFilip Kafka
@online{kafka:20171208:strongpity2:116d419, author = {Filip Kafka}, title = {{StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?}}, date = {2017-12-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/}, language = {English}, urldate = {2019-11-14} } StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?
StrongPity
2016-12-14MicrosoftMicrosoft Defender ATP Research Team
@online{team:20161214:twin:17e1d49, author = {Microsoft Defender ATP Research Team}, title = {{Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe}}, date = {2016-12-14}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/}, language = {English}, urldate = {2020-01-13} } Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe
PROMETHIUM
2016-10-12Twitter (@PhysicalDrive0)PhysicalDrive0
@online{physicaldrive0:20161012:strongpity:86fba4e, author = {PhysicalDrive0}, title = {{Tweet on StrongPity}}, date = {2016-10-12}, organization = {Twitter (@PhysicalDrive0)}, url = {https://twitter.com/physicaldrive0/status/786293008278970368}, language = {English}, urldate = {2020-01-06} } Tweet on StrongPity
StrongPity
2016-10-06Virus BulletinKurt Baumgartner
@online{baumgartner:20161006:strongpity:898bc2b, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-06}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users}, language = {English}, urldate = {2020-01-09} } On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users
PROMETHIUM
2016-10-03Kaspersky LabsKurt Baumgartner
@online{baumgartner:20161003:strongpity:d4a8c09, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/}, language = {English}, urldate = {2019-12-20} } On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users
StrongPity

Credits: MISP Project