Since August 2020, multiple cybercriminal groups have utilized a malware-as-a-service (MaaS) solution to distribute malware campaigns with a distribution service called Prometheus TDS (Traffic Direction System). Prometheus TDS, which is available for sale for $250 a month, has been responsible for deploying malware families such as BazarLoader, IcedID, QBot, SocGholish, Hancitor, and Buer Loader, all of which are commonly used to download more damaging payloads.
In a report by Group-IB’s Threat Intelligence analysts, it is said that the first most active campaign targets individuals in Belgium, and the second targets companies, corporations, universities, and government organizations in the United States.
More than 3,000 email addresses were targeted in the first phase of malicious campaigns in which Prometheus TDS was used to send malicious emails. Malicious code was also often found hidden in Microsoft Word or Excel documents, but ZIP and RAR archives have been used as well.
Group-IB says the distribution of malware using Prometheus TDS is carried out in several stages. These stages consist of sending an email containing an HTML file, a link to a web shell that redirects users to a specific URL, or a link to a Google Doc containing the URL to redirect users to a malicious link. When users open the attachment or follow the link to the Prometheus.Backdoor, URL data collection begins and is sent to the Prometheus admin panel. Finally, the Prometheus admin panel decides whether to redirect the user to the specified URL or to send a malicious file to the user. Prometheus TDS is also commonly used to redirect users to sites such as fake VPNs, portals selling Viagra and Cialis, and bank phishing sites.
Combatting attacks like we have seen with Prometheus TDS starts with prevention. Regularly provided cyber security awareness and training on information security principles and techniques is crucial. When receiving an email, always check to ensure you’ve received that email from a trusted/known source. Do not open attachments or click on links without verifying their validity. Monitoring security events on employee workstations and servers with a 24/7 Security Operations Center is a great way to catch malware before it has a chance to compromise a system. Binary Defense offers expert teams of Malware Analysts and Security Operations Center operators to supplement any company’s defensive posture.