The PROMETHIUM threat actor — active since 2012 — has been uncovered multiple times in the last several years.. However, it has not deterred this actor from expanding and continuing their activities. By complementing indicators such as for example code similarity, order and manage (C2) paths, toolkit construction and malicious habits, Cisco Talos determined around 30 brand new C2 domains. We assess that PROMETHIUM exercise corresponds to five peaks of action when clustered by the development date month and yr.
Talos telemetry implies that PROMETHIUM is expanding its achieve and tries to infect brand new targets across several nations. The samples linked to StrongPity3 targeted sufferers in Colombia, India, Vietnam and canada. The team has at the very least four brand new trojanized setup documents we noticed: Firefox (a internet browser), VPNpro (a VPN customer), DriverPack (a pack of motorists) and 5kPlayer (a media participant).
Talos cannot pinpoint the original attack vector, nevertheless, the usage of trojanized installation data files to well-known apps is in keeping with the previously documented promotions. This leads us to trust that like before just, the initial vector could be the watering hole strike or in-path demand interception like described in a CitizenLab record from 2018. This team focuses on espionage, and these latest strategies continue down exactly the same path. The malware will exfiltrate any Microsoft Workplace file it encounters on the operational system. Previous research connected PROMETHIUM to state-sponsored threats actually. The truth that the group will not avoid launching new advertisments even after exposure shows their solve to perform their mission.

Read more >>>