Thursday, August 26th, 2021
Prometheus TDS: The $250 key to success for Campo Loader, Hancitor, IcedID QBot
Numerous cyber criminal groups are leveraging an underground service known as Prometheus TDS to distribute a variety of malicious software distribution campaigns which redirect visitors to phishing and malicious sites resulting in payload deployments such as Campo Loader and Hanctor.
Prometheus is available for sale on underground platforms for $250 a month. The service is a Traffic Direction System (TDS) that is designed to distribute malware-laced Word and Excel documents, and divert users to phishing and malicious sites.
More than 3,000 email addresses have been targeted via malicious campaigns across multiple sectors in which Prometheus TDS was used. The underground malware-as-a-service (MaaS) solution has been used to distribute a wide range of malicious software distribution campaigns that result in the deployment of payloads such as Campo Loader, Hancitor, QBot, Buer Loader, and SocGholish against individuals. companies and U.S. government agencies.
How Prometheus TDS works:
Malware gangs are able to access to Prometheus service for a fee in which they will receive an account on the TDS platform. The ‘renters of the service’ can then login to the account, configure the malware payload they want to distribute, the type of users they want to target and provide a list of hacked web servers.
Prometheus TDS will then scan the list of hacked websites provided by the hacker and deploy a backdoor to the hacked servers. Once this is done, teh hackers can then move on to send email campaigns where the email text contains links to the hacked websites.
When the end users clicks on a link or the HTML file attached – it will take them to the hacked site, this is where the “Prometheus.Backdoor” is uploaded to the compromised websites and collects the victims data. After analyzing this data, the administrative panel decides whether to send the payload to the user or to redirect them to the specified URL.
The service may send a malware-ridden Microsoft Word or Excel document, with the user redirected to a legitimate site like DocuSign immediately after downloading the file to mask the malicious activity.
Some of the targeted inboxes belonged to U.S. government agencies, companies, and corporations in the banking and finance, retail, energy and mining, cybersecurity, healthcare, IT, and insurance sectors.
When investigating the Prometheus TDS malware campaigns, the researchers at GroupIB found a lot of malicious Office documents that delivered Campo Loader, Hancitor, QBot, IcedID, Buer Loader, and SocGholish. These trojans are of course malware downloaders which were involved in the earlier stages of ransomware attacks over the last few years – Ryuk, Egregor, RansomExx, REvil, and Conti.
We are seeing in many malware campaigns today that there are always at least two if not three different groups working together to provide various services and Prometheus TDS has been no different.