Targeted attacks are typically carried out against individuals to obtain intellectual property and other valuable data from target organizations. These individuals are either directly in possession of the targeted information or are able to connect to networks where the information resides. Microsoft researchers have encountered twin threat activity groups that appear to target individuals for reasons that are quite uncommon.
Unlike many activity groups, which typically gather information for monetary gain or economic espionage, PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals. These activity groups are also unusual in that they use the same zero-day exploit to launch attacks at around the same time in the same region. Their targets, however, appear to be individuals that do not share common affiliations.
Similarly timed attacks
In early May 2016, both PROMETHIUM and NEODYMIUM started conducting attack campaigns against specific individuals in Europe. They both used an exploit for CVE-2016-4117, a vulnerability in Adobe Flash Player that, at the time, was both unknown and unpatched.
PROMETHIUM distributed links through instant messengers, pointing recipients to malicious documents that invoked the exploit code to launch Truvasys on victim computers. Meanwhile, NEODYMIUM used well-tailored spear-phishing emails with attachments that delivered the exploit code, ultimately leading to Wingbird’s installation on victim computers.
While the use of the same exploit code could be attributed to coincidence, the timing of the campaigns and the geographic location of victims lend credence to the theory that the campaigns are somehow related.
Activity group profiles
PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.
NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.
More information here:
Indicators of compromise