A recently discovered cybercrime service is helping malware gangs distribute their malicious payloads to unsuspecting users using a network of hacked websites.
Named Prometheus, the service is what security researchers call a “traffic distribution system,” also known as a TDS.
How the Prometheus TDS works
Consisting of a network of hacked websites, Prometheus provides on-demand servers where criminal gangs can temporarily upload malware payloads for the duration of a distribution campaign.
The idea is that malware gangs rent access to Prometheus, they receive an account on the TDS platform, and then access the account to configure the malware payload they want to distribute and the type of users they want to target (based on details such as geographical location, browser or OS version).
The payload is then uploaded on hacked servers via a backdoor the Prometheus gang had planted in advance.
Once this is done, Prometheus customers can then move on to send email spam campaigns where the email text contains links to the hacked websites.
When users click the links and land on the hacked website, the Prometheus backdoor analyzes the victim’s browser details and, based on the campaign parameters, will either redirect the user to a clean web page or to one that hosts a malicious file.
Spotted by security firm Group-IB earlier this spring, Prometheus is currently advertised on underground cybercrime forums for prices ranging from 30$ for 2 days of access to the platform to $250 a month.
The Prometheus ad dates back to August 2020, suggesting the service has been live and used by malware gangs for almost a year.
Group-IB researchers said they discovered at least 3,000 malware samples distributed through hacked web servers bearing the mark and URL schemes of the Prometheus TDS, including some of today’s most dangerous malware strains, such as Campo Loader, IcedID, QBot, SocGholish, and Buer Loader.
Group-IB’s recent findings come to show once again that the current cybercrime ecosystem is not made up of just the people who create malware.
In almost all current malware campaigns, there are always at least two or three different groups working together to provide various services or features, which can usually include the likes of malware crypting, antivirus checkers, Office file weaponization (exploit building), spam-sending services, traffic distribution systems, and, many others.
The post Meet Prometheus, the secret TDS behind some of today’s malware campaigns appeared first on The Record by Recorded Future.
Source: Read More (The Record by Recorded Future)