Experts from Group-IB team had identified a new Malware-as-a-service campaign(MaaS) named “Prometheus TDS (Traffic Direction System)”targeting atleast 3000 victims with malware such as Campo Loader, IcedID, QBot, SocGholish, and Buer Loader.
On initial analysis, researchers figured out that this specific campaign uses new technique to hide documents with malicious URL’s from the radars. “The first targeted individuals in Belgium, and the second targeted companies, corporations, universities, and government organizations in the United States.” stated in the blog post.
“Prometheus TDS is an underground service that distributes malicious files and redirects visitors to phishing and malicious sites. This service is made up of the Prometheus TDS administrative panel, in which an attacker configures the necessary parameters for a malicious campaign: downloading malicious files, and configuring restrictions on users’ geolocation, browser version, and operating system.” reads the post.
Additionally, to prevent the infected victims to interact with malware administrative panel, threat actors are using the third party compromised /infected sites as proxy between admin panel and infected victims.
Researcher reveals that they had identified multiple campaigns of this malware on which “one targeting individuals in Belgium (more than 2,000 emails) and the other targeting US government agencies, companies, and corporations in various sectors (banking and finance, retail, energy and mining, cybersecurity, healthcare, IT, and insurance)(260+ emails).”
On Stage 1, the user receives an email with one of the techniques like below:
- HTML file which redirects the victim to compromised site which has Prometheus backdoor.
- A link to webshell which redirects to address which is with Prometheus malware.
- A link to a Google doc which redirects to malicious url.
On Stage 2, Once the user clicks the attachment or follows the link received via email, the Prometheus backdoor collects necessary details from victim.
On Stage 3, “The data collected is sent to the Prometheus TDS admin panel. This admin panel then decides whether to instruct the backdoor to send a malicious file to the users and/or to redirect them to the specified URL.” reads the blog post.
CyberWorkx news readers can find the indicators of compromise on this link.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1