TRconfidence: 50G0056

PROMETHIUMPROMETHIUM

Also known as: StrongPity · G0056 · PROMETHIUM

Origin
TR
Known aliases
3
Attribution
50

Profile

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

Aliases· 3

StrongPityPROMETHIUM
G0056

MITRE ATT&CK Group crosswalk

G0056

References

  1. https://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/
  2. https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users
  3. https://attack.mitre.org/groups/G0056/

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Software
Truvasys
Software
Prometey
Software
Prometheus
Software
StrongPity
Software
Prometei
Group
NEODYMIUM
Sourced from MISP-Galaxy Threat Actor cluster. Curated by Adam Lundqvist, Founder at SQUR.