BlackBerry’s security researchers have closely analyzed the Prometheus TDS (Traffic Direction System) and discovered a correlation with a leaked Cobalt Strike SSL key pair, as well as with various malware families.
First detailed in August 2021, the Prometheus TDS, which is mainly used by Russian threat actors, facilitates various Malware-as-a-Service (MaaS) operations, as well as phishing redirections. Previously, it was associated with the distribution of malware families such as Buer Loader, Campo Loader, Hancitor, IcedID, QBot, and SocGholish.
Typically, a TDS would be part of an exploit kit (EK) redirection chain, but with the EK landscape declining heavily over the past few years, TDSes have evolved, and Prometheus emerged as a full-bodied platform.
The threat actor behind Prometheus – who uses the online handle of Ma1n – relies heavily on cracked/leaked copies of the Cobalt Strike adversary simulation platform, BlackBerry says in a report published today.
Moreover, the adversary was observed moving away from the Prometheus backdoor, which was designed for fingerprinting victims and which previously served as an integral part of the Prometheus TDS execution chain.
BlackBerry also discovered that some of the activity associated with Prometheus overlaps with the use of an SSL private key used as part of malicious Cobalt Strike installations and which was bundled within a cracked version of Cobalt Strike 4.2.
“This cracked version (and the SSL Key) appears to be so heavily relied upon by Prometheus affiliates that we speculate that this same illegitimate copy of Cobalt Strike could perhaps be proliferated by the Prometheus operators themselves,” BlackBerry says.
The researchers believe that an individual associated with Prometheus might be maintaining the cracked copy of Cobalt Strike.
Over the past couple of years, this cracked version of Cobalt Strike was used by malicious groups/malware such as StrongPity, FickerStealer, Fin7, Man1, Mirai, Qakbot, Bashlite/Gafgyt, IceID, Conti, Ryuk, BlackMatter, Cerber ransomware, and initial access broker Zebra2104.
Campaigns that likely used both Cobalt Strike and Prometheus include DarkCrystalRAT (commercial remote access Trojan), FickerStealer (Rust-based information stealer), Cerber ransomware (a major threat in 2016), REvil/Sodinokibi (a RaaS group that Russia’s intelligence service dismantled last week), Ryuk ransomware (operated by WizardSpider), BlackMatter ransomware (which announced shutdown in November 2021), and Qakbot (potent backdoor/malware dropper).
BlackBerry’s analysis of this Prometheus/Cobalt Strike-related activity also revealed the use of Team Servers, with all campaigns using the leaked build of Team Server showing “a tendency to target organizations within the public sector.”
Related: Prometheus TDS – Underground Service Distributing Several Malware Families
