Group-IB security researchers have shared a technical analysis of Prometheus TDS, an underground service that over the past several months has been used for the distribution of various malware families, such as Buer Loader, Campo Loader, Hancitor, IcedID, QBot, and SocGholish.
Prometheus TDS (Traffic Direction System) is a malware-as-a-service (MaaS) solution that has been promoted on underground forums since August 2020, being described as a platform that can send emails, work with traffic, and help with social engineering.
Also, the TDS can be used for web shell validation and redirect creation and management, can operate via proxy, supports Google accounts, and can validate users against blacklists. The service is offered at $250 per month, Group-IB’s researchers discovered.
In addition to the distribution of malicious files, the service is being used to redirect victims to phishing and malicious sites. The first campaign leveraging Prometheus TDS was discovered in the spring of 2021, with additional active campaigns observed since, for a total of more than 3,000 victims identified to date.
The service consists of an administrative panel that allows attackers to configure various parameters for their malicious campaigns, including the downloading of malicious files, and setting restrictions for geolocation, browsers, and operating systems.
Third-party infected websites are used as the middleman between the administrative panel and the victim. On these websites, Group-IB’s security researchers discovered a PHP file named Prometheus.Backdoor that was designed to collect and transmit data about the user.
Based on the analysis of this data, the panel decides whether to serve a payload to the victim or redirect them to a specified URL.
The service has been used to send malicious emails to more than 3,000 addresses to date. The most active campaign targeted individuals in Belgium (more than 2,000 emails), while the second largest attack targeted US entities (more than 260 emails targeting government agencies and organizations in sectors such as finance, insurance, healthcare, energy and mining, retail, IT, and cybersecurity).
A typical attack involving Prometheus TDS starts with a malicious email that either carries a HTML file to redirect the victim to a compromised site, a link to a web shell that performs a redirection, or a link to a Google Doc that contains a URL designed to redirect the user to a malicious site.
Once the victim follows the link, they are redirected to the Prometheus.Backdoor URL where their data (including IP address, User-Agent, language, time zone, and referrer header) is collected and sent to the Prometheus TDS admin panel, which decides how to serve the next stage.
On some infrastructure used to host Prometheus TDS, the researchers discovered an unknown panel that they eventually identified as the BRChecker service, an email address bruterchecker that first appeared on underground forums in 2018. As of May 2021, the service is being offered at $490.