[TheRecord] Meet Prometheus, the secret TDS behind some of today’s malware campaigns

A recently discovered cybercrime service is helping malware gangs distribute their malicious payloads to unsuspecting users using a network of hacked websites.

Named Prometheus, the service is what security researchers call a “traffic distribution system,” also known as a TDS.

How the Prometheus TDS works

Consisting of a network of hacked websites, Prometheus provides on-demand servers where criminal gangs can temporarily upload malware payloads for the duration of a distribution campaign.

The idea is that malware gangs rent access to Prometheus, they receive an account on the TDS platform, and then access the account to configure the malware payload they want to distribute and the type of users they want to target (based on details such as geographical location, browser or OS version).

The payload is then uploaded on hacked servers via a backdoor the Prometheus gang had planted in advance.

Once this is done, Prometheus customers can then move on to send email spam campaigns where the email text contains links to the hacked websites.

When users click the links and land on the hacked website, the Prometheus backdoor analyzes the victim’s browser details and, based on the campaign parameters, will either redirect the user to a clean web page or to one that hosts a malicious file.

Image: Group-IB

Spotted by security firm Group-IB earlier this spring, Prometheus is currently advertised on underground cybercrime forums for prices ranging from 30$ for 2 days of access to the platform to $250 a month.

The Prometheus ad dates back to August 2020, suggesting the service has been live and used by malware gangs for almost a year.

Group-IB researchers said they discovered at least 3,000 malware samples distributed through hacked web servers bearing the mark and URL schemes of the Prometheus TDS, including some of today’s most dangerous malware strains, such as Campo Loader, IcedID, QBot, SocGholish, and Buer Loader.

Image: Group-IB

Group-IB’s recent findings come to show once again that the current cybercrime ecosystem is not made up of just the people who create malware.

In almost all current malware campaigns, there are always at least two or three different groups working together to provide various services or features, which can usually include the likes of malware crypting, antivirus checkers, Office file weaponization (exploit building), spam-sending services, traffic distribution systems, and, many others.

The post Meet Prometheus, the secret TDS behind some of today’s malware campaigns appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[HackerNews] Google Details iOS, Chrome, IE Zero-Day Flaws Exploited Recently in the Wild

All posts, HackerNews

Threat intelligence researchers from Google on Wednesday shed more light on four in-the-wild zero-days in Chrome, Safari, and Internet Explorer browsers that were exploited by malicious actors in different campaigns since the start of the year. What’s more, three of the four zero-days were engineered by commercial providers and sold to and used by government-backed actors, contributing […]

Read More

Daily NCSC-FI news followup 2019-09-21

VMware Releases Security Updates for Multiple Products www.us-cert.gov/ncas/current-activity/2019/09/20/vmware-releases-security-updates-multiple-products See also: www.vmware.com/security/advisories/VMSA-2019-0014.html Meet Stop Ransomware: The Most Active Ransomware Nobody Talks About www.bleepingcomputer.com/news/security/meet-stop-ransomware-the-most-active-ransomware-nobody-talks-about/ To give you some perspective, the ransomware identification service ID Ransomware gets approximately 2,500 ransomware submissions a day. Of those, between 60-70 % are STOP ransomware submissions. Windows 7 Voting Systems to Get […]

Read More

[ThreatPost] Teen Rakes in $2.74M Worth of Bitcoin in Phishing Scam

All posts, ThreatPost

The kid was busted after abusing Google Ads to lure users to his fake gift card site.  Source: Read More (Threatpost)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.