A number of cybercriminal teams are leveraging a malware-as-a-service (MaaS) resolution to distribute a variety of malicious software program distribution campaigns that end result within the deployment of payloads comparable to Campo Loader, Hancitor, IcedID, QBot, Buer Loader, and SocGholish in opposition to people in Belgium in addition to authorities companies, corporations, and companies within the U.S.
Dubbed “Prometheus TDS” (brief for Visitors Route System) and accessible on the market on underground platforms for $250 a month since August 2020, the service is designed to distribute malware-laced Phrase and Excel paperwork and divert customers to phishing and malicious websites, in keeping with a Group-IB report shared with The Hacker Information.
Greater than 3,000 electronic mail addresses are stated to have been singled out by way of malicious campaigns during which Prometheus TDS was used to ship malicious emails, with banking and finance, retail, power and mining, cybersecurity, healthcare, IT, and insurance coverage rising the distinguished verticals focused by the assaults.
“Prometheus TDS is an underground service that distributes malicious recordsdata and redirects guests to phishing and malicious websites,” Group-IB researchers stated. “This service is made up of the Prometheus TDS administrative panel, during which an attacker configures the mandatory parameters for a malicious marketing campaign: downloading malicious recordsdata, and configuring restrictions on customers’ geolocation, browser model, and working system.”
The service can also be recognized to make use of third-party contaminated web sites which might be manually added by the marketing campaign’s operators and act as a intermediary between the attacker’s administrative panel and the consumer. To attain this, a PHP file named “Prometheus.Backdoor” is uploaded to the compromised web site to gather and ship again knowledge in regards to the sufferer, based mostly on which a choice is taken as as to if to ship the payload to the consumer and/or to redirect them to the desired URL.
The assault scheme commences with an electronic mail containing a HTML file, a hyperlink to an online shell that redirects customers to a specified URL, or a hyperlink to a Google Doc that is embedded with an URL that redirects customers to the malicious hyperlink that when both opened or clicked leads the recipient to the contaminated web site, which stealthily collects primary info (IP deal with, Person-Agent, Referrer header, time zone, and language knowledge) after which forwards this knowledge to the Prometheus admin panel.
Within the ultimate section, the executive panel takes duty for sending a command to redirect the consumer to a selected URL, or to ship a malware-ridden Microsoft Phrase or Excel doc, with the consumer redirected to a respectable web site like DocuSign or USPS instantly after downloading the file to masks the malicious exercise. Moreover distributing malicious recordsdata, researchers discovered that Prometheus TDS can also be used as a basic TDS to redirect customers to particular websites, comparable to pretend VPN web sites, doubtful portals promoting Viagra and Cialis, and banking phishing websites.
“Prometheus TDS additionally redirected customers to websites promoting pharmaceutical merchandise,” the researchers famous. “Operators of such websites usually have affiliate and partnership applications. Companions, in flip, usually resort to aggressive SPAM campaigns to be able to improve the earnings throughout the associates program. Evaluation of the Prometheus infrastructure by Group-IB specialists revealed hyperlinks that redirect customers to websites referring to a Canadian pharmaceutical firm.”