BlackBerry Research and Intelligence Team reported on a subscription-based crimeware-as-a-service (CaaS) solution and a cracked copy of Cobalt Strike and suspect it is being offered as a post-exploitation tool on Russian hacker forums.
The service, which is called Prometheus, was first spotted in August 2021 by cybersecurity company Group-IB. It was revealed that various cybercriminal groups have been distributing various malware through various campaigns using the service.
It is described as a traffic direction system that enables attackers to redirect phishing traffic to rogue landing pages that deploy malware for $250 a month.
“Prometheus can be considered a full-bodied service/platform that allows threat groups to purvey their malware or phishing operations with ease,” BlackBerry Research and Intelligence Team said in a report. “The main components of Prometheus include a web of malicious infrastructure, malicious email distribution, illicit file-hosting through legitimate services, traffic redirection and the ability to deliver malicious files.”
The redirection is typically carried out through two main sources, namely the use of malicious ads and the appearance of altered websites.
The attack chain begins with an email that contains an HTML file or a Google Docs page. After clicking a link, the victim is taken to a compromised website, which then either drops malware or launches a page that contains a phishing scam.
The most prominent activity associated with the service’s operators is said to have started in October 2018. It was linked to an actor who goes by the name “Ma1n” advertising redirection services. The actors then put up Prometheus TDS for sale on September 22, 2020.
The company also found similarities between the Prometheus operation and an illegitimate version of the Strike Cobalt threat emulation software.
“It’s possible that someone connected with the Prometheus TDS is maintaining this cracked copy and providing it upon purchase,” the researchers said. “It is also possible that this cracked installation may be provided as part of a standard playbook or a virtual machine (VM) installation.”
The researchers noted that the complexity of the operation, low financial cost, and support provided by the service suggest that this type of criminal activity is likely to become more prevalent in the future.
“The volume of groups that are using offerings such as the Prometheus TDS, speak to the success and efficacy of these illicit infrastructure for hire services, which are in essence full-fledged enterprises that support the malicious activities of groups regardless of their size, level of resourcing or motives.”