Main menu

Pages

Hackers exploit Prometheus TDS to carry out Cyber Attacks


Several cybercriminal groups exploit Prometheus TDS, an underground service distributing several families of malware to deploy payloads like Campo Loader, Hancitor, IcedID, QBot, Buer Loader and SocGholish against individuals in Belgium.  The attacks also target government agencies, businesses and corporations in the United States. 


Distribute Word and Excel documents containing malware

multiple cybercriminal groups have utilized a malware-as-a-service (MaaS) solution to distribute malware campaigns with a distribution service called Prometheus TDS (Traffic Direction System).
TDS designed to distribute Word and Excel documents containing malware and divert users to phishing and malicious sites.
More than 3,000 email addresses were targeted in the first phase of malicious campaigns in which Prometheus TDS was used to send malicious emails.

Prometheus TDS is an underground

service that distributes malicious files and redirects visitors to phishing and malicious sites.  This service is composed of the Prometheus TDS administration panel, in which an attacker configures the parameters necessary for a malicious campaign: downloading malicious files, configuring restrictions on the geolocation of users, configuring the version of the browser and the system of  operation.

Use infected websites from third parties

The service is also known to use infected third party websites.  These are added manually by the campaign operators and act as an intermediary between the attacker's administration panel and the user.  To do this, a PHP file named Prometheus.Backdoor is uploaded to the compromised website to collect and return data about the victim.  Following this, a decision is made whether to send the payload to the user and / or redirect to the specified URL.

The attack pattern begins with an email containing an HTML file, a link to a web shell that redirects users to a specified URL, or a link to an embedded Google document.  The latter contains a URL that redirects users to the malicious link.  Once opened or clicked, this link directs the recipient to the infected website which stealthily collects basic information (IP address, user agent, referrer header, time zone, and language data).  The site then transmits this data to the Prometheus administration panel.

Prometheus used as classic TDS

Besides distributing malicious files, researchers found that Prometheus TDS is also used as classic TDS to redirect users to specific sites.  These could be fake VPN sites, dubious portals selling Viagra and Cialis, or even bank phishing sites.  The researchers did note that Prometheus TDS redirected users to sites selling pharmaceuticals.

The operators of these sites often have affiliate and partnership programs.  Partners, in turn, often use aggressive SPAM campaigns to increase affiliate program revenue.  Analysis of the Prometheus infrastructure by specialists at Group-IB revealed links that redirect users to sites relating to a Canadian pharmaceutical company. 

Comments

table of contents title