Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

BlackBerry Researchers Dive Into Prometheus TDS Operations

BlackBerry’s security researchers have closely analyzed the Prometheus TDS (Traffic Direction System) and discovered a correlation with a leaked Cobalt Strike SSL key pair, as well as with various malware families.

BlackBerry’s security researchers have closely analyzed the Prometheus TDS (Traffic Direction System) and discovered a correlation with a leaked Cobalt Strike SSL key pair, as well as with various malware families.

First detailed in August 2021, the Prometheus TDS, which is mainly used by Russian threat actors, facilitates various Malware-as-a-Service (MaaS) operations, as well as phishing redirections. Previously, it was associated with the distribution of malware families such as Buer Loader, Campo Loader, Hancitor, IcedID, QBot, and SocGholish.

Typically, a TDS would be part of an exploit kit (EK) redirection chain, but with the EK landscape declining heavily over the past few years, TDSes have evolved, and Prometheus emerged as a full-bodied platform.

The threat actor behind Prometheus – who uses the online handle of Ma1n – relies heavily on cracked/leaked copies of the Cobalt Strike adversary simulation platform, BlackBerry says in a report published today.

Moreover, the adversary was observed moving away from the Prometheus backdoor, which was designed for fingerprinting victims and which previously served as an integral part of the Prometheus TDS execution chain.

BlackBerry also discovered that some of the activity associated with Prometheus overlaps with the use of an SSL private key used as part of malicious Cobalt Strike installations and which was bundled within a cracked version of Cobalt Strike 4.2.

“This cracked version (and the SSL Key) appears to be so heavily relied upon by Prometheus affiliates that we speculate that this same illegitimate copy of Cobalt Strike could perhaps be proliferated by the Prometheus operators themselves,” BlackBerry says.

The researchers believe that an individual associated with Prometheus might be maintaining the cracked copy of Cobalt Strike.

Advertisement. Scroll to continue reading.

Over the past couple of years, this cracked version of Cobalt Strike was used by malicious groups/malware such as StrongPity, FickerStealer, Fin7, Man1, Mirai, Qakbot, Bashlite/Gafgyt, IceID, Conti, Ryuk, BlackMatter, Cerber ransomware, and initial access broker Zebra2104.

Campaigns that likely used both Cobalt Strike and Prometheus include DarkCrystalRAT (commercial remote access Trojan), FickerStealer (Rust-based information stealer), Cerber ransomware (a major threat in 2016), REvil/Sodinokibi (a RaaS group that Russia’s intelligence service dismantled last week), Ryuk ransomware (operated by WizardSpider), BlackMatter ransomware (which announced shutdown in November 2021), and Qakbot (potent backdoor/malware dropper).

BlackBerry’s analysis of this Prometheus/Cobalt Strike-related activity also revealed the use of Team Servers, with all campaigns using the leaked build of Team Server showing “a tendency to target organizations within the public sector.”

Related: Prometheus TDS – Underground Service Distributing Several Malware Families

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.