Group-IB discovered the subscription-based malware service Prometheus TDS in August 2021 as part of an email campaign targeting U.S. government agencies, among others. The Crimeware-as-a-Service (CaaS) offering was made available to a primarily Russian customer base by a cyber threat actor known as “Ma1n” on various Russian hacking forums.

This threat actor appears to depend  on Cobalt Strike for infrastructure (for more information about Cobalt Strike please download our recent book on the subject). Based on Beacon configuration data, we were able to cluster a variety of different malware families used by the BlackBerry Research & Intelligence Team’s Cobalt Strike Team Server scanning solution.

Didier Stevens, a malware researcher for NVISO Labs, recently discovered six SSL private keys bundled with cracked or leaked copies of Cobalt Strike, one of which has a significant overlap with Prometheus-related activity. He has made available information and tools that allow this Beacon traffic to be decrypted.

BlackBerry Research and Intelligence Team reported that ,” Prometheus can be thought of as a full-fledged service/platform that allows threat groups to easily purvey their malware or phishing operations. Prometheus main components such as a web of malicious infrastructure, malicious email distribution, illicit file-hosting through  legitimate services, traffic redirection  and the ability to deliver malicious files.”

Typically, the redirection comes from one of two sources: malicious ads on legitimate websites or websites that have been tampered with to insert malicious code. In the case of Prometheus, the attack chain begins with a spam email containing an HTML file or a Google Docs page that, when activated, redirects the victim to a malicious website.

The first activity associated with the service’s operators, who go by the name “Ma1n” on hacking forums, is said to have begun in October 2018, with the author linked to other illicit methods offering high quality redirects and PowerMTA kits for mailing to corporate mailboxes before putting Prometheus TDS up for sale on September 22, 2020.

This is supported by the fact that the cracked copy has been used by a number of threat actors such as DarkCrystal RAT, FickerStealer, FIN7, Qakbot, and IceID, as well as ransomware cartels such as REvil, Ryuk (Wizard Spider), BlackMatter, and Cerber over the last two years.

Finally the researchers concluded that,“While TDS’s are not a new concept, the level of complexity, support and low financial cost lend credence to the theory that this is a trend that is likely to rise in the threat landscape’s near future. The volume of groups that use offerings like the Prometheus TDS demonstrates the success and efficacy of these illicit infrastructure for hire services, which are in essence full-fledged enterprises that support the malicious activities of groups of any size, level of resourcing, or motives.”

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s