Security investigators searching different Trojan distribution operations discover that an underground traffic distribution service known as Prometheus is responsible for transmitting threats that often lead to ransomware attacks.
Among all the Trojan families that Prometheus TDS has chatted out so far are BazarLoader, IcedID, QBot, SocGholish, Hancitor, and Buer Loader, all of them are mostly used in intermediary attack stages to download more harmful payloads.
How has Malware Delivery Service Done?
A traffic direction system (TDS) permits redirecting users to content based on specific characteristics (e.g location, language, device type) that knows further activity.
The Attackers have been using such tools for more than a century. A 2011 report from Trend Micro details an upgrade of the Koobface botnet with a TDS component that increased profits by driving traffic to branch advertising websites.
A user known as Main is advertising it as a “professional redirect system” with anti-bot security that is reliable for email marketing, generating traffic, and social engineering.
Prometheus utilized a network of websites impacted with a backdoor accessible from the service’s administration panel, where customers can generate their profiles for their targets.
The investigators state that the users can be redirected to a website harmed with Prometheus. Backdoor through an email operation transmitting an HTML file with a redirect, or a link to a web shell leading to a negotiated site, or a Google document pointing to the malicious URL.
When users appear on the hacked website, the PHP-based Prometheus. Backdoor collects the connection details (IP address, user agent, referrer header, time zone, language) and forwards them to the admin panel.
“If the user is not recognized as a bot, then, depending on the configuration, the administrative panel can send a command to redirect the user to the specified URL, or to send a malicious file. The payload file is sent using a special JavaScript code“- Group-IB
The malicious code is often hidden in malicious Microsoft Word or Excel documents; however, ZIP and RAR archives have also been utilized. During their research, the Group-IB Threat Intelligence team discovers more than 3,000 target email addresses in operations that used Prometheus TDS.
Few of them belonged to the U.S. government agencies, organizations, and corporations in the banking and finance, retail, energy and mining, cybersecurity, IT, healthcare, IT, and various insurance sectors.
While researching the Prometheus TDS Trojan distribution campaigns, the investigators discover malicious Office documentation that transmits Campo Loader (a.k.a BazarLoader), Hancitor, QBot, IcedID, Buer Loader, and SocGholish.
All the above-mentioned Trojans are malware downloaders consisting over the past year in earlier stages of a ransomware attack (WastedLocker, Ryuk, RansomExx, REvil, Cuba, and Conti).
Although, the Group-IB Threat Intelligence team told our experts they could not link the Prometheus TDS to ransomware attacks because they analyzed the malicious files in a virtual environment.
“Group-IB researchers examined the extracted malicious files in the virtual environment, while ransomware operators now tend to be selective, which means that after the network compromise they proceed with the lateral movement to find out more about the compromised company and decide whether it’s worth to encrypt its network. So possibly the virtual machines didn’t seem attractive enough to the cybercriminals” – Group-IB
Some of the malicious documents redirected users to appropriate websites like DocuSign, USPS after downloading the malware, to task the malware infections.
How Fake VPN, Spam, and Credentials are Brute-Forcing?
Apart from the malware, Prometheus TDS has also been utilized to redirect users to sites offering fake VPN solutions, selling pharmaceutical products (Viagra spam), or phishing pages for banking data.
One who is behind Prometheus is also running another service known as BRChecker—a password brute-force tool, which shared the framework used by the TDS service.
The two systems are currently active, as the investigators see new websites infected with Prometheus.Backdoor every day. Moreover, admin panels appear constantly, a clear sign of new users.
