By Warren Mercer, Paul Rascagneres and Vitor Ventura.
News summary
The threat actor behind StrongPity is not deterred despite being exposed multiple times over the past four years.
They continue to expand their victimology and attack seemingly non related countries.
This kind of continuous improvement suggests there is a possibility that this is an exported solution for other actors to use.
Executive summary
The PROMETHIUM threat actor — active since 2012 — has been exposed multiple times over the past several years.. However, this has not deterred this actor from continuing and expanding their activities. By matching indicators such as code similarity, command and control (C2) paths, toolkit structure and malicious behavior, Cisco Talos identified around 30 new C2 domains. We assess that PROMETHIUM activity corresponds to five peaks of activity when clustered by the creation date month and year.
What's new?
Talos telemetry shows that PROMETHIUM is expanding its reach and attempts to infect new targets across several countries. The samples related to StrongPity3 targeted victims in Colombia, India, Canada and Vietnam. The group has at least four new trojanized setup files we observed: Firefox (a browser), VPNpro (a VPN client), DriverPack (a pack of drivers) and 5kPlayer (a media player).
How did it work?
Talos could not pinpoint the initial attack vector, however, the use of trojanized installation files to well-known applications is consistent with the previously documented campaigns. This ..
Support the originator by clicking the read the rest link below.
