Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Prometheus TDS – Underground Service Distributing Several Malware Families

Group-IB security researchers have shared a technical analysis of Prometheus TDS, an underground service that over the past several months has been used for the distribution of various malware families, such as Buer Loader, Campo Loader,

Group-IB security researchers have shared a technical analysis of Prometheus TDS, an underground service that over the past several months has been used for the distribution of various malware families, such as Buer Loader, Campo Loader, Hancitor, IcedID, QBot, and SocGholish.

Prometheus TDS (Traffic Direction System) is a malware-as-a-service (MaaS) solution that has been promoted on underground forums since August 2020, being described as a platform that can send emails, work with traffic, and help with social engineering.

Also, the TDS can be used for web shell validation and redirect creation and management, can operate via proxy, supports Google accounts, and can validate users against blacklists. The service is offered at $250 per month, Group-IB’s researchers discovered.

In addition to the distribution of malicious files, the service is being used to redirect victims to phishing and malicious sites. The first campaign leveraging Prometheus TDS was discovered in the spring of 2021, with additional active campaigns observed since, for a total of more than 3,000 victims identified to date.

The service consists of an administrative panel that allows attackers to configure various parameters for their malicious campaigns, including the downloading of malicious files, and setting restrictions for geolocation, browsers, and operating systems.

Third-party infected websites are used as the middleman between the administrative panel and the victim. On these websites, Group-IB’s security researchers discovered a PHP file named Prometheus.Backdoor that was designed to collect and transmit data about the user.

Based on the analysis of this data, the panel decides whether to serve a payload to the victim or redirect them to a specified URL.

The service has been used to send malicious emails to more than 3,000 addresses to date. The most active campaign targeted individuals in Belgium (more than 2,000 emails), while the second largest attack targeted US entities (more than 260 emails targeting government agencies and organizations in sectors such as finance, insurance, healthcare, energy and mining, retail, IT, and cybersecurity).

Advertisement. Scroll to continue reading.

A typical attack involving Prometheus TDS starts with a malicious email that either carries a HTML file to redirect the victim to a compromised site, a link to a web shell that performs a redirection, or a link to a Google Doc that contains a URL designed to redirect the user to a malicious site.

Once the victim follows the link, they are redirected to the Prometheus.Backdoor URL where their data (including IP address, User-Agent, language, time zone, and referrer header) is collected and sent to the Prometheus TDS admin panel, which decides how to serve the next stage.

On some infrastructure used to host Prometheus TDS, the researchers discovered an unknown panel that they eventually identified as the BRChecker service, an email address bruterchecker that first appeared on underground forums in 2018. As of May 2021, the service is being offered at $490.

Related: Hackers Compromise Mongolian Certificate Authority to Spread Malware

Related: Collaboration Platforms Increasingly Abused for Malware Distribution, Data Exfiltration

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.