Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Prometheus TDS – Underground Service Distributing Several Malware Families

Group-IB security researchers have shared a technical analysis of Prometheus TDS, an underground service that over the past several months has been used for the distribution of various malware families, such as Buer Loader, Campo Loader,

Group-IB security researchers have shared a technical analysis of Prometheus TDS, an underground service that over the past several months has been used for the distribution of various malware families, such as Buer Loader, Campo Loader, Hancitor, IcedID, QBot, and SocGholish.

Prometheus TDS (Traffic Direction System) is a malware-as-a-service (MaaS) solution that has been promoted on underground forums since August 2020, being described as a platform that can send emails, work with traffic, and help with social engineering.

Also, the TDS can be used for web shell validation and redirect creation and management, can operate via proxy, supports Google accounts, and can validate users against blacklists. The service is offered at $250 per month, Group-IB’s researchers discovered.

In addition to the distribution of malicious files, the service is being used to redirect victims to phishing and malicious sites. The first campaign leveraging Prometheus TDS was discovered in the spring of 2021, with additional active campaigns observed since, for a total of more than 3,000 victims identified to date.

The service consists of an administrative panel that allows attackers to configure various parameters for their malicious campaigns, including the downloading of malicious files, and setting restrictions for geolocation, browsers, and operating systems.

Third-party infected websites are used as the middleman between the administrative panel and the victim. On these websites, Group-IB’s security researchers discovered a PHP file named Prometheus.Backdoor that was designed to collect and transmit data about the user.

Based on the analysis of this data, the panel decides whether to serve a payload to the victim or redirect them to a specified URL.

The service has been used to send malicious emails to more than 3,000 addresses to date. The most active campaign targeted individuals in Belgium (more than 2,000 emails), while the second largest attack targeted US entities (more than 260 emails targeting government agencies and organizations in sectors such as finance, insurance, healthcare, energy and mining, retail, IT, and cybersecurity).

Advertisement. Scroll to continue reading.

A typical attack involving Prometheus TDS starts with a malicious email that either carries a HTML file to redirect the victim to a compromised site, a link to a web shell that performs a redirection, or a link to a Google Doc that contains a URL designed to redirect the user to a malicious site.

Once the victim follows the link, they are redirected to the Prometheus.Backdoor URL where their data (including IP address, User-Agent, language, time zone, and referrer header) is collected and sent to the Prometheus TDS admin panel, which decides how to serve the next stage.

On some infrastructure used to host Prometheus TDS, the researchers discovered an unknown panel that they eventually identified as the BRChecker service, an email address bruterchecker that first appeared on underground forums in 2018. As of May 2021, the service is being offered at $490.

Related: Hackers Compromise Mongolian Certificate Authority to Spread Malware

Related: Collaboration Platforms Increasingly Abused for Malware Distribution, Data Exfiltration

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights