{"id":2744,"date":"2021-08-06T16:19:58","date_gmt":"2021-08-06T10:49:58","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=2744"},"modified":"2021-08-06T16:20:00","modified_gmt":"2021-08-06T10:50:00","slug":"the-250-service-behind-recent-trojan-attacks-prometheus-tds","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/","title":{"rendered":"The $250 Service Behind Recent Trojan Attacks: Prometheus TDS"},"content":{"rendered":"\n
Security investigators searching different Trojan distribution operations discover that an underground traffic distribution service known as Prometheus is responsible for transmitting threats that often lead to ransomware attacks.<\/p><\/p>\n\n\n\n
Among all the Trojan families that Prometheus TDS has chatted out so far are BazarLoader, IcedID, QBot, SocGholish, Hancitor, and Buer Loader, all of them are mostly used in intermediary attack stages to download more harmful payloads.<\/p><\/p>\n\n\n\n
How has Malware Delivery Service Done?<\/strong><\/h2>\n\n\n\n
A traffic direction system (TDS) permits redirecting users to content based on specific characteristics (e.g location, language, device type) that knows further activity.<\/p><\/p>\n\n\n\n
The Attackers have been using such tools for more than a century. A 2011 report from Trend Micro details an upgrade of the Koobface botnet with a TDS component that increased profits by driving traffic to branch advertising websites.<\/p><\/p>\n\n\n\n
A user known as Main is advertising it as a \u201cprofessional redirect system\u201d with anti-bot security that is reliable for email marketing, generating traffic, and social engineering.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
Prometheus utilized a network of websites impacted with a backdoor accessible from the service\u2019s administration panel, where customers can generate their profiles for their targets.<\/p><\/p>\n\n\n\n
The investigators state that the users can be redirected to a website harmed with Prometheus. Backdoor through an email operation transmitting an HTML file with a redirect, or a link to a web shell leading to a negotiated site, or a Google document pointing to the malicious URL.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
When users appear on the hacked website, the PHP-based Prometheus. Backdoor collects the connection details (IP address, user agent, referrer header, time zone, language) and forwards them to the admin panel.<\/p><\/p>\n\n\n\n
\u201cIf the user is not recognized as a bot, then, depending on the configuration, the administrative panel can send a command to redirect the user to the specified URL, or to send a malicious file. The payload file is sent using a special JavaScript code\u201c- Group-IB<\/p><\/p>\n\n\n\n
The malicious code is often hidden in malicious Microsoft Word or Excel documents; however, ZIP and RAR archives have also been utilized. During their research, the Group-IB Threat Intelligence team discovers more than 3,000 target email addresses in operations that used Prometheus TDS.<\/p><\/p>\n\n\n\n
Few of them belonged to the U.S. government agencies, organizations, and corporations in the banking and finance, retail, energy and mining, cybersecurity, IT, healthcare, IT, and various insurance sectors.<\/p><\/p>\n\n\n\n
While researching the Prometheus TDS Trojan distribution campaigns, the investigators discover malicious Office documentation that transmits Campo Loader (a.k.a BazarLoader), Hancitor, QBot, IcedID, Buer Loader, and SocGholish.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
All the above-mentioned Trojans are malware downloaders consisting over the past year in earlier stages of a ransomware attack (WastedLocker, Ryuk, RansomExx, REvil, Cuba, and Conti).<\/p><\/p>\n\n\n\n
Although, the Group-IB Threat Intelligence team told our experts they could not link the Prometheus TDS to ransomware attacks because they analyzed the malicious files in a virtual environment. <\/p><\/p>\n\n\n\n
\u201cGroup-IB researchers examined the extracted malicious files in the virtual environment, while ransomware operators now tend to be selective, which means that after the network compromise they proceed with the lateral movement to find out more about the compromised company and decide whether it\u2019s worth to encrypt its network. So possibly the virtual machines didn’t seem attractive enough to the cybercriminals\u201d – Group-IB <\/p><\/p>\n\n\n\n
Some of the malicious documents redirected users to appropriate websites like DocuSign, USPS after downloading the malware, to task the malware infections.<\/p><\/p>\n\n\n\n
How Fake VPN, Spam, and Credentials are Brute-Forcing?<\/strong><\/h2>\n\n\n\n
Apart from the malware, Prometheus TDS has also been utilized to redirect users to sites offering fake VPN solutions, selling pharmaceutical products (Viagra spam), or phishing pages for banking data.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
One who is behind Prometheus is also running another service known as BRChecker\u2014a password brute-force tool, which shared the framework used by the TDS service.<\/p><\/p>\n\n\n\n
The two systems are currently active, as the investigators see new websites infected with Prometheus.Backdoor every day. Moreover, admin panels appear constantly, a clear sign of new users. <\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
Security investigators searching different Trojan distribution operations discover that an underground traffic distribution service known as Prometheus is responsible for transmitting threats that often lead to ransomware attacks. Among all the Trojan families that Prometheus TDS has chatted out so far are BazarLoader, IcedID, QBot, SocGholish, Hancitor, and Buer Loader, all of them are mostly […]<\/p>\n","protected":false},"author":2,"featured_media":2751,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"yoast_head":"\n
The $250 Service Behind Recent Trojan Attacks: Prometheus TDS - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The $250 Service Behind Recent Trojan Attacks: Prometheus TDS - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"Security investigators searching different Trojan distribution operations discover that an underground traffic distribution service known as Prometheus is responsible for transmitting threats that often lead to ransomware attacks. Among all the Trojan families that Prometheus TDS has chatted out so far are BazarLoader, IcedID, QBot, SocGholish, Hancitor, and Buer Loader, all of them are mostly […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-06T10:49:58+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-08-06T10:50:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/The-250-Service-Behind-Recent-Trojan-Attacks-Prometheus-TDS-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"The $250 Service Behind Recent Trojan Attacks: Prometheus TDS\",\"datePublished\":\"2021-08-06T10:49:58+00:00\",\"dateModified\":\"2021-08-06T10:50:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/\"},\"wordCount\":673,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Breaches\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/\",\"url\":\"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/\",\"name\":\"The $250 Service Behind Recent Trojan Attacks: Prometheus TDS - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-08-06T10:49:58+00:00\",\"dateModified\":\"2021-08-06T10:50:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The $250 Service Behind Recent Trojan Attacks: Prometheus TDS\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The $250 Service Behind Recent Trojan Attacks: Prometheus TDS - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/","og_locale":"en_US","og_type":"article","og_title":"The $250 Service Behind Recent Trojan Attacks: Prometheus TDS - Xiarch Solutions Private Limited","og_description":"Security investigators searching different Trojan distribution operations discover that an underground traffic distribution service known as Prometheus is responsible for transmitting threats that often lead to ransomware attacks. Among all the Trojan families that Prometheus TDS has chatted out so far are BazarLoader, IcedID, QBot, SocGholish, Hancitor, and Buer Loader, all of them are mostly […]","og_url":"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-08-06T10:49:58+00:00","article_modified_time":"2021-08-06T10:50:00+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/The-250-Service-Behind-Recent-Trojan-Attacks-Prometheus-TDS-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"The $250 Service Behind Recent Trojan Attacks: Prometheus TDS","datePublished":"2021-08-06T10:49:58+00:00","dateModified":"2021-08-06T10:50:00+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/"},"wordCount":673,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Breaches"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/","url":"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/","name":"The $250 Service Behind Recent Trojan Attacks: Prometheus TDS - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-08-06T10:49:58+00:00","dateModified":"2021-08-06T10:50:00+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/the-250-service-behind-recent-trojan-attacks-prometheus-tds\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"The $250 Service Behind Recent Trojan Attacks: Prometheus TDS"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2744"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=2744"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2744\/revisions"}],"predecessor-version":[{"id":2752,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2744\/revisions\/2752"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/2751"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=2744"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=2744"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=2744"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"The-$250-Service-Behind-Recent-Trojan-Attacks-Prometheus-TDS-image1\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/The-250-Service-Behind-Recent-Trojan-Attacks-Prometheus-TDS-image1.png\")
<\/figure><\/div>\n\n\n\n![\"The-$250-Service-Behind-Recent-Trojan-Attacks-Prometheus-TDS-image2\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/The-250-Service-Behind-Recent-Trojan-Attacks-Prometheus-TDS-image2-1-1024x575.jpg\")
<\/figure><\/div>\n\n\n\n![\"The-$250-Service-Behind-Recent-Trojan-Attacks-Prometheus-TDS-image3\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/The-250-Service-Behind-Recent-Trojan-Attacks-Prometheus-TDS-image3.png\")
<\/figure><\/div>\n\n\n\n![\"The-$250-Service-Behind-Recent-Trojan-Attacks-Prometheus-TDS-image4\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/The-250-Service-Behind-Recent-Trojan-Attacks-Prometheus-TDS-image4.png\")
<\/figure><\/div>\n\n\n\n