In a recent write-up, Group-IB researchers detailed how multiple cybercriminal groups are using Prometheus TDS, a popular malware-as-a-service (MaaS) solution, to distribute their malware campaigns.
Prometheus TDS (short for Traffic Direction System) is a tool that distributes weaponized Word and Excel documents that are designed to trick users into visiting phishing sites. It is sold on hacker forums for $250.
Using Prometheus TDS, threat actors routinely deploy such malware as Campo Loader, QBot, Buer Loader, Hancitor, IcedID, and SocGholish, mostly against individuals in Belgium and corporations in the U.S., according to the researchers.
“Prometheus TDS is an underground service that distributes malicious files and redirects visitors to phishing and malicious sites,” Group-IB researchers said. “This service is made up of the Prometheus TDS administrative panel, in which an attacker configures the necessary parameters for a malicious campaign: downloading malicious files, and configuring restrictions on users’ geolocation, browser version, and operating system.”
Over 3,000 attacker email addresses were reportedly distributing Prometheus TDS in various attacks that targeted various industries such as banking and finance, IT, energy, and healthcare.
Attackers send emails that contain a link to a specific page, a web shell, or a link to a Google Doc.
Attackers often use infected third-party websites to act as mediators between the attacker’s administrative panel and the user. In this setup, attackers plant a PHP file named “Prometheus.Backdoor” in a compromised website. It will stealthily collect data about the victim (IP address, User-Agent, Referrer header, time zone, and language data) which will determine whether the attacker will send a payload or direct the victim to a specific URL.
Finally, the administrative panel is responsible for sending a command to take the victim to a specific website or sending a weaponized Microsoft Word or Excel document. After downloading the file, the user is redirected to a legitimate website, such as DocuSign or USPS.
Researchers saw that Prometheus TDS was also used to redirect users to affiliate websites, such as VPN websites, dubious portals selling Viagra and Cialis, and banking phishing sites.
“Prometheus TDS also redirected users to sites selling pharmaceutical products,” the researchers noted. “Operators of such sites often have affiliate and partnership programs. Partners, in turn, often resort to aggressive SPAM campaigns in order to increase the earnings within the affiliate program. Analysis of the Prometheus infrastructure by Group-IB specialists revealed links that redirect users to sites relating to a Canadian pharmaceutical company.”