>samit_hota
Back to adversary profiles
G0056HighActive

PROMETHIUM (StrongPity): A Resilient Espionage Threat

Samit Hota·
Suspected Origin
Turkey (suspected state-sponsored)
Motivation
Espionage, Information Theft
Aliases
StrongPity
Target Sectors
Government, Telecommunications, Users of encryption tools, Technologically-oriented individuals/organizations, Unspecified
Associated Malware
StrongPity, StrongPity2, StrongPity3, Truvasys, customized Android backdoor
#threat-actor#g0056

Overview

PROMETHIUM, also widely known as StrongPity (G0056), is a highly persistent and adaptive advanced persistent threat (APT) group focused squarely on cyber espionage. Active since at least 2012, this group has consistently demonstrated its resolve and capability to conduct operations globally, with a historical emphasis on targets within Turkey and Syria. While some reporting suggests a potential state-sponsored attribution with political motivations, particularly concerning the Kurdish conflict, PROMETHIUM’s operational reach has expanded significantly beyond its initial geographic focus. The group has been observed operating across Europe, North Africa, Canada, India, Colombia, and Vietnam, indicating either a broadening victimology or the potential sale of its sophisticated tooling to other threat actors. PROMETHIUM has also exhibited similarities to another activity group, NEODYMIUM, sharing victim characteristics and campaign approaches, including the use of common exploit code in early campaigns.

Tactics & Techniques

PROMETHIUM’s hallmark tactic for initial access involves sophisticated watering hole attacks and the distribution of trojanized versions of legitimate software. Rather than creating entirely new software, the group expertly repackages popular applications, such as file archivers (WinRAR), encryption tools (TrueCrypt), file recovery applications, browsers (Firefox), VPN clients (VPNpro), driver packs (DriverPack), media players (5kPlayer), and even productivity tools like Notepad++. These trojanized installers deliver the group’s malware while simultaneously installing the legitimate software, providing a seemingly normal user experience and hindering detection. In some instances, they have compromised official government websites, such as the Syrian E-Gov portal, to distribute these malicious Android applications.

For persistence, PROMETHIUM utilizes standard operating system mechanisms like Registry run keys and the creation or modification of Windows services. On Android platforms, they leverage broadcast receivers to ensure their malware restarts automatically, for example, upon device boot or connectivity changes.

Defense evasion is a critical part of their operational security. The group employs self-signed certificates to sign their malicious installers and to secure their HTTPS command and control (C2) traffic, making it appear legitimate. They also masquerade malicious service names to blend in with legitimate system processes and, in Windows environments, use PowerShell to add their malware’s directories to Windows Defender exclusion lists. On Android, their malware can attempt to disable the SecurityLogAgent if root access is obtained.

Once established, PROMETHIUM engages in extensive data collection. Their malware is designed to discover and exfiltrate specific file types, often focusing on Microsoft Office documents. Beyond documents, their Android implants are particularly invasive, capable of collecting a wide array of personal data including call logs, contact lists, SMS messages, device location, installed applications, Wi-Fi network information, and even notification messages from popular messaging and social media applications such as Viber, Skype, Gmail, Messenger, and Tinder. Command and control communication typically occurs over HTTPS, and the group has been known to employ multi-tiered proxy infrastructures to obscure their C2 servers and complicate forensic investigations.

Notable Campaigns

PROMETHIUM’s operational history includes several significant campaigns. In May 2016, they were observed exploiting a zero-day vulnerability (CVE-2016-4117) in Adobe Flash Player to deliver their Truvasys malware to specific individuals in Europe, often via malicious documents sent through instant messengers. Later that year, they launched attacks primarily targeting users of encryption tools like WinRAR and TrueCrypt in Italy, Turkey, Belgium, Algeria, and France. These campaigns involved compromising legitimate software distribution sites or redirecting users to poisoned installers through deceptive links.

In 2018, the group was linked to the infection of a Turkish telecommunications company, leveraging this access to target hundreds of users in Turkey and Syria. This operation potentially involved in-path request interception, a technique where attackers manipulate network traffic to deliver malicious content, possibly utilizing devices like Sandvine’s PacketLogic.

The group continued its activity into 2019 and 2020, with campaigns targeting diverse regions including Turkey, Syria, Colombia, India, Canada, and Vietnam. These operations maintained the strategy of using trojanized installers for applications such as Firefox, VPNpro, DriverPack, and 5kPlayer.

A significant development in 2021 was the first public observation of PROMETHIUM deploying Android malware. This involved a trojanized version of the official Syrian e-Gov Android application, distributed through the compromised government website. This marked an expansion of their targeting to mobile platforms. This mobile focus continued into a campaign active from November 2021 to at least January 2023, where they distributed a trojanized Telegram app. This malicious application was disguised as the Shagle video chat app and spread via a sophisticated copycat website impersonating the legitimate service. The Android backdoor in this campaign was highly modular and equipped with extensive spying features.

Associated Malware & Tools

The primary malware associated with PROMETHIUM is also referred to as StrongPity. This sophisticated backdoor is modular, allowing the group to deploy specific functionalities as needed. StrongPity can download and execute additional binary modules, hide its console window to operate stealthily, delete exfiltrated files, and collect detailed system information, including hard disk volume serial numbers and IP addresses. It utilizes AES encryption for obfuscating its code and strings, as well as for securing its C2 communications.

Another key component in their arsenal is Truvasys, often used as a first-stage malware. Truvasys has been repeatedly observed in various campaigns, masquerading as common computer utilities to gain initial footholds.

For their Android operations, PROMETHIUM has developed highly specialized modules integrated into their custom Android backdoors. These modules enable a wide range of surveillance capabilities, including recording phone calls, collecting SMS messages, logging call history, extracting contact lists, tracking device location, and intercepting notification messages from various messaging applications.

In terms of specific operational tools, PROMETHIUM has been noted for its use of PowerShell scripts to perform tasks like adding exclusions to Windows Defender, a common defense evasion technique. The evolution of their malware, with variants sometimes referred to as StrongPity2 and StrongPity3, indicates ongoing development and adaptation of their toolset.

Current Status

PROMETHIUM remains an active and formidable threat actor. Despite numerous public exposures of their campaigns and techniques over the years, the group has consistently demonstrated resilience, adapting its toolset and infrastructure rather than ceasing operations. Their tactics, techniques, and procedures (TTPs) show an evolutionary pattern, with incremental updates and refinements rather than complete overhauls, suggesting a well-resourced and persistent operational agenda.

The most recent reported activities, particularly the Android campaigns in 2021-2023, underscore their continued adaptation to new platforms and their unwavering commitment to espionage. The expansion of their victimology to a more global scale, extending far beyond their traditional focus areas in the Middle East and Europe, suggests either a deliberate broadening of their targeting strategy or the possibility that their sophisticated malicious framework is being leased or sold to other actors. Organizations across various sectors and regions, especially those with interests in areas historically targeted by PROMETHIUM or those whose users frequently download common software utilities, should maintain high vigilance against this persistent and evolving threat.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call