Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Prometheus TDS – Underground Service Distributing Several Malware Families

Group-IB security researchers have shared a technical analysis of Prometheus TDS, an underground service that over the past several months has been used for the distribution of various malware families, such as Buer Loader, Campo Loader,

Group-IB security researchers have shared a technical analysis of Prometheus TDS, an underground service that over the past several months has been used for the distribution of various malware families, such as Buer Loader, Campo Loader, Hancitor, IcedID, QBot, and SocGholish.

Prometheus TDS (Traffic Direction System) is a malware-as-a-service (MaaS) solution that has been promoted on underground forums since August 2020, being described as a platform that can send emails, work with traffic, and help with social engineering.

Also, the TDS can be used for web shell validation and redirect creation and management, can operate via proxy, supports Google accounts, and can validate users against blacklists. The service is offered at $250 per month, Group-IB’s researchers discovered.

In addition to the distribution of malicious files, the service is being used to redirect victims to phishing and malicious sites. The first campaign leveraging Prometheus TDS was discovered in the spring of 2021, with additional active campaigns observed since, for a total of more than 3,000 victims identified to date.

The service consists of an administrative panel that allows attackers to configure various parameters for their malicious campaigns, including the downloading of malicious files, and setting restrictions for geolocation, browsers, and operating systems.

Third-party infected websites are used as the middleman between the administrative panel and the victim. On these websites, Group-IB’s security researchers discovered a PHP file named Prometheus.Backdoor that was designed to collect and transmit data about the user.

Based on the analysis of this data, the panel decides whether to serve a payload to the victim or redirect them to a specified URL.

The service has been used to send malicious emails to more than 3,000 addresses to date. The most active campaign targeted individuals in Belgium (more than 2,000 emails), while the second largest attack targeted US entities (more than 260 emails targeting government agencies and organizations in sectors such as finance, insurance, healthcare, energy and mining, retail, IT, and cybersecurity).

A typical attack involving Prometheus TDS starts with a malicious email that either carries a HTML file to redirect the victim to a compromised site, a link to a web shell that performs a redirection, or a link to a Google Doc that contains a URL designed to redirect the user to a malicious site.

Once the victim follows the link, they are redirected to the Prometheus.Backdoor URL where their data (including IP address, User-Agent, language, time zone, and referrer header) is collected and sent to the Prometheus TDS admin panel, which decides how to serve the next stage.

On some infrastructure used to host Prometheus TDS, the researchers discovered an unknown panel that they eventually identified as the BRChecker service, an email address bruterchecker that first appeared on underground forums in 2018. As of May 2021, the service is being offered at $490.

Related: Hackers Compromise Mongolian Certificate Authority to Spread Malware

Related: Collaboration Platforms Increasingly Abused for Malware Distribution, Data Exfiltration

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.