Group-IB discovered the subscription-based malware service Prometheus TDS in August 2021 as part of an email campaign targeting U.S. government agencies, among others. The Crimeware-as-a-Service (CaaS) offering was made available to a primarily Russian customer base by a cyber threat actor known as “Ma1n” on various Russian hacking forums.
This threat actor appears to depend on Cobalt Strike for infrastructure (for more information about Cobalt Strike please download our recent book on the subject). Based on Beacon configuration data, we were able to cluster a variety of different malware families used by the BlackBerry Research & Intelligence Team’s Cobalt Strike Team Server scanning solution.
Didier Stevens, a malware researcher for NVISO Labs, recently discovered six SSL private keys bundled with cracked or leaked copies of Cobalt Strike, one of which has a significant overlap with Prometheus-related activity. He has made available information and tools that allow this Beacon traffic to be decrypted.
BlackBerry Research and Intelligence Team reported that ,” Prometheus can be thought of as a full-fledged service/platform that allows threat groups to easily purvey their malware or phishing operations. Prometheus main components such as a web of malicious infrastructure, malicious email distribution, illicit file-hosting through legitimate services, traffic redirection and the ability to deliver malicious files.”
Typically, the redirection comes from one of two sources: malicious ads on legitimate websites or websites that have been tampered with to insert malicious code. In the case of Prometheus, the attack chain begins with a spam email containing an HTML file or a Google Docs page that, when activated, redirects the victim to a malicious website.
The first activity associated with the service’s operators, who go by the name “Ma1n” on hacking forums, is said to have begun in October 2018, with the author linked to other illicit methods offering high quality redirects and PowerMTA kits for mailing to corporate mailboxes before putting Prometheus TDS up for sale on September 22, 2020.
This is supported by the fact that the cracked copy has been used by a number of threat actors such as DarkCrystal RAT, FickerStealer, FIN7, Qakbot, and IceID, as well as ransomware cartels such as REvil, Ryuk (Wizard Spider), BlackMatter, and Cerber over the last two years.
Finally the researchers concluded that,“While TDS’s are not a new concept, the level of complexity, support and low financial cost lend credence to the theory that this is a trend that is likely to rise in the threat landscape’s near future. The volume of groups that use offerings like the Prometheus TDS demonstrates the success and efficacy of these illicit infrastructure for hire services, which are in essence full-fledged enterprises that support the malicious activities of groups of any size, level of resourcing, or motives.”