Promethium: A “state-backed” APT Targets India

India is among the top five countries being targeted online. Most of the attacks stem from China, Russia, Pakistan, Ukraine, Vietnam and North Korea. Recently, a sophisticated “state-backed” group has shifted its focus on India. According to experts, the cyberespionage group- Promethium is targeting millions of Indians by spying on them. This would be the second biggest cyber threat for Indias within the last two weeks.
The group is employing notorious tactics to compromise systems in India and stealing documents and encrypted devices. Promethium is targeting Indians for at least a year and the compromise happens at the Internet Service Provider (ISP) level.
Promethium hackers download malware alongside legitimate software to prevent detection. The malware targets Microsoft Office and exfiltrates specific documents.

Promethium APT

Also known as StrongPity, Promethium group’s inception dates back to 2012. Although the group is exposed time to time in gathering intelligence related to politics, the group is difficult to track down or attribute to a single threat actor.
Promethium Targeted Countries
Promethium Targeted Countries
Typically, these sophisticated APT targets countries in West Asia and Europe, including Turkey and Syria. Although, the cyber espionage group also dipped its toe in Belgium and Italy. According to Talo, the target countries now include Columbia, India, Canada and Vietnam.

A State-backed Group?

Cybersecurity experts believe Promethium is a “state-backed” group because the group resurfaces despite being exposed multiple times and the compromise happens at the ISP level. Talo discovered at least 30 command-and-control (C2) servers linked with the group’s surveillance malware- StrongPity3. StrongPity3 is a new and advanced tool added to their arsenal to victimise systems. It is the revised version of the tool: StrongPity2.
Apart from this. experts noticed that the trojans installers have compile times indicating work-weeks and 9-6 schedules, which suggests the campaign involves paid developers.
Since 2016, five security firms have recognised Promethium as a “sophisticated and stealthy surveillance project”. And Talo is the sixth which points towards the possibility of the cyberespionage group targeting India.


The attack begins when a user downloads a legitimate software. The user is then directed to a malware operated by the attackers, instead of the required software download portal. The infected page then scans the system for security and antivirus and sends the information to the hacker server without the user ever knowing.
The setup file which the user downloads get infected. Along with legitimate software, the malware is also downloaded. This is an effective technique to penetrate a system and disguise its activities. In some cases, the Promethium attackers first reconfigure Windows Defender, add itself to the exclusion list. Next, they check for the availability of antivirus and then drop the malware depending on the security level.
The malware module dropped contains three files.
  • The first file is designed to self-execute the malware module after penetration.
  • The second is an auxiliary file which establishes contact with the attackers through C2 servers. Furthermore, it launches the third fil
  • e for exfiltration of data from the host system.
  • The third file, spyware (StrongPity2/StrongPity3), does the remaining of the work. It scans the system and collects every Microsoft Office file it encounters in an infinite loop with 6,050-millisecond gaps. It creates an archive of specific file extensions if a file is larger than 160kb, it is split), encodes the archives and exfiltrates them.
The injected StrongPity spyware enables Promethium to practice prolific surveillance and gather intelligence related to politics.

StrongPity Spyware

To bolster its arsenal Promethium developed an advanced toolkit to deploy its spyware StrongPity3. StrongPity3 is a revised version of the surveillance spyware: StrongPity2.
The two spyware versions differ in their approach of performing C2 requests by switching from libcurl to winhttp and persistence mechanism turned from registry key into a service. To hide the spyware’s activities the group incorporated three infrastructure layers which included the use of proxy servers, VPNs, and IP addresses that receive forwarded data. Experts traced 47 servers with different functionalities.
Researches say that the malware module is dropped via a watering hole attack or in-path request interception — with an ISP performing an HTTP redirect.

What should Indians do?

  • Indian organisations should make sure that their users are accessing SaaS applications through corporate networks. This will allow CASBs security solution to have visibility to complete network traffic.
  • Employees of firms working from home amid the crisis should access the corporate network using VPNs.
  • Organisations should buy DLP capabilities to ensure additional data protection.
  • Practice zero-trust policy and provide minimum access to employees.
As per a PwC report, the number of cyberattacks on Indian companies has doubled in the past few we
eks. Phishing attempts have increased three-fold, threatening the ‘work from home’ IT infrastructure.

India an

Just like a simple soap bar can prevent COVID-19, following simple cyber ethics can prevent any cyber-attacks.

- Advertisement -

Ayush Dubey
Ayush Dubey
Ayush Dubey is an engineering student from IIIT Jabalpur. He has a comprehensive background in technology. Cybersecurity being his primary field of interest. He loves to meet people who are always in a hustle to learn new things.

- Advertisement -

Latest articles

Related articles