{"description": "Mobile techniques used by PROMETHIUM, ATT&CK group G0056 (v2.1)", "name": "PROMETHIUM (G0056)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1517", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect message notifications from 17 applications.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to communicate with the C2 server using HTTPS.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1532", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to exfiltrate encrypted data to the C2 server.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1429", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to record phone calls.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1456", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) distributed [StrongPity](https://attack.mitre.org/software/S0491) through the compromised official Syrian E-Gov website.(Citation: trendmicro_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1521", "showSubtechniques": true}, {"techniqueID": "T1521.001", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to encrypt C2 communication using AES.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1624", "showSubtechniques": true}, {"techniqueID": "T1624.001", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to receive the following broadcast events to establish persistence: `BOOT_COMPLETED`, `BATTERY_LOW`,`USER_PRESENT`, `SCREEN_ON`, `SCREEN_OFF`, or `CONNECTIVITY_CHANGE`.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1646", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to exfiltrate to the C2 server using HTTPS.(Citation: welivesec_strongpity)(Citation: trendmicro_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1420", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect file lists on the victim device.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1629", "showSubtechniques": true}, {"techniqueID": "T1629.003", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to modify permissions on a rooted device and tried to disable the SecurityLogAgent application.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1544", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to receive files from the C2 and execute them via the parent application.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1430", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to access the device\u2019s location.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) on a compromised website to distribute a malicious version of a legitimate application.(Citation: trendmicro_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1406", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to obfuscate code and strings to evade detection.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.002", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect call logs.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect the device\u2019s contact list.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect SMS messages.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1418", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to obtain a list of installed applications.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect the device\u2019s information, such as SIM serial number, SIM serial number, etc.(Citation: welivesec_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1421", "comment": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect information regarding available Wi-Fi networks.(Citation: trendmicro_strongpity) ", "score": 1, "color": "#ff6666", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by PROMETHIUM", "color": "#66b1ff"}, {"label": "used by a campaign attributed to PROMETHIUM", "color": "#ff6666"}, {"label": "used by PROMETHIUM and used by a campaign attributed to PROMETHIUM", "color": "#ff66f4"}]}