PROMETHIUM and NEODYMIUM target individuals in Europe

Targeted attacks are typically carried out against individuals to obtain intellectual property and other valuable data from target organizations. These individuals are either directly in possession of the targeted information or are able to connect to networks where the information resides. Microsoft researchers have encountered twin threat activity groups that appear to target individuals for reasons that are quite uncommon.

Unlike many activity groups, which typically gather information for monetary gain or economic espionage, PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals. These activity groups are also unusual in that they use the same zero-day exploit to launch attacks at around the same time in the same region. Their targets, however, appear to be individuals that do not share common affiliations.

Similarly timed attacks

In early May 2016, both PROMETHIUM and NEODYMIUM started conducting attack campaigns against specific individuals in Europe. They both used an exploit for CVE-2016-4117, a vulnerability in Adobe Flash Player that, at the time, was both unknown and unpatched.

PROMETHIUM distributed links through instant messengers, pointing recipients to malicious documents that invoked the exploit code to launch Truvasys on victim computers. Meanwhile, NEODYMIUM used well-tailored spear-phishing emails with attachments that delivered the exploit code, ultimately leading to Wingbird’s installation on victim computers.

While the use of the same exploit code could be attributed to coincidence, the timing of the campaigns and the geographic location of victims lend credence to the theory that the campaigns are somehow related.

Activity group profiles

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.

More information here: 


Indicators of compromise

FileHash-MD5 2041cc8de9dab93b44434d7f748c63ad Payload delivery
FileHash-SHA1 05dbe59a7690e28ca295e0f939a0c1213cb42eb0 Payload delivery
FileHash-SHA1 0852aa6b8df78069d75fa2f09b53d4476cdd252b Payload delivery
FileHash-SHA1 0b16135d008f6952df0caca104449c33d736e5fc Payload delivery
FileHash-SHA1 211a111586cb5914876adb929ccae736928d8363 Payload delivery
FileHash-SHA1 21a3862dfe21d6b216359c6baa3d3c2beb50c7a3 Payload delivery
FileHash-SHA1 2fb49455d65ad8baf18e3c604cd1b992b7ebbefa Payload delivery
FileHash-SHA256 15ededb19ec5ab6f03db1106d2ccdeeacacdb8cd708518d065cacb1b0d7e955d Payload delivery
FileHash-SHA256 1aef507c385a234e8b10db12852ad1bd66a04730451547b2dcb26f7fae16e01f Payload delivery
FileHash-SHA256 2f98ac11c78ad1b4c5c5c10a88857baf7af43acb9162e8077709db9d563bcf02 Payload delivery

Virustotal links

# Link