Security Experts:

Connect with us

Hi, what are you looking for?



Two APTs Used Same Zero-Day to Target Individuals in Europe

Researchers at Microsoft have observed two separate advanced persistent threat (APT) actors that leveraged the same Flash Player zero-day vulnerability to spy on Turkish citizens living in Turkey and various other European countries.

Researchers at Microsoft have observed two separate advanced persistent threat (APT) actors that leveraged the same Flash Player zero-day vulnerability to spy on Turkish citizens living in Turkey and various other European countries.

Dubbed by Microsoft PROMETHIUM and NEODYMIUM – the company assigns chemical element names to threat actors – the groups used different infrastructure and malware, but there are some similarities that indicate a possible connection at a higher organizational level.

The attacks, spotted in early May, leveraged a Flash Player exploit (CVE-2016-4117) that Adobe patched on May 12. The groups used the same exploit at the same time, before it was publicly disclosed, and against the same type of targets.

The group tracked as PROMETHIUM has been active since at least 2012. In the attacks observed by Microsoft, the actor sent out links via instant messaging applications. The links pointed to documents set up to exploit CVE-2016-4117 in an effort to deliver a piece of malware dubbed Truvasys.

Truvasys has been mainly observed in western European countries, but it has been configured to target devices with Turkish locale settings (i.e. parameters that define the user’s language and region). This indicates that the attackers were particularly interested in Turkish citizens living in Turkey and western European countries.

In some cases, the attackers also delivered a piece of malware named Myntor, but Microsoft has not been able to determine the criteria for pushing this second threat onto a victim’s computer.

PROMETHIUM’s activities have also been analyzed by Kaspersky Lab, which named the group and its malware StrongPity. In the attacks observed by the security firm, the actor used watering holes and poisoned application installers to deliver their malware. Kaspersky noted in its analysis that StrongPity’s techniques were similar to the ones of Russia-linked threat actor Crouching Yeti (aka Energetic Bear and Dragonfly).

NEODYMIUM also leveraged the same CVE-2016-4117 exploit in early May, before its existence was disclosed. The attackers used spear-phishing emails carrying malicious documents to deliver their malware.

This group has used a backdoor, dubbed by Microsoft Wingbird, that is very similar to the notorious government-grade commercial spyware FinFisher. Researchers believe Wingbird is a relatively new version of FinFisher.

“The publisher, FinFisher GmbH, claims that it sells the software exclusively to government agencies for use in targeted and lawful criminal investigations,” Microsoft said. “The apparent use of a version of FinFisher suggests that the exploit and the spear phishing campaign that delivered it were the work of an attack group probably connected in some way to a state actor.”

More than 80 percent of NEODYMIUM victims spotted by Microsoft were located in Turkey, but infections were also detected in the U.S., Germany and the U.K. The company pointed out that Wingbird has only been used to target individuals, not devices that are part of an organization’s network.

Additional details on PROMETHIUM and NEODYMIUM, including indicators of compromise (IoC), are available in Microsoft’s latest Security Intelligence Report.

Related: Pawn Storm Group Targets Turkey

Related: Turkey to Probe Massive ‘Personal Data Leak’

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.