Various cybercriminal groups are leveraging a malware-as-a-support (MaaS) answer to distribute a vast variety of destructive software program distribution strategies that final result in the deployment of payloads these kinds of as Campo Loader, Hancitor, IcedID, QBot, Buer Loader, and SocGholish in opposition to individuals in Belgium as perfectly as govt agencies, organizations, and corporations in the U.S.
Dubbed “Prometheus TDS” (shorter for Traffic Direction Process) and accessible for sale on underground platforms for $250 a month considering that August 2020, the company is intended to distribute malware-laced Phrase and Excel paperwork and divert people to phishing and malicious web sites, according to a Team-IB report shared with The Hacker Information.
Far more than 3,000 e-mail addresses are mentioned to have been singled out by means of malicious campaigns in which Prometheus TDS was employed to send out malicious email messages, with banking and finance, retail, vitality and mining, cybersecurity, health care, IT, and insurance plan emerging the well known verticals qualified by the assaults.
“Prometheus TDS is an underground service that distributes malicious documents and redirects people to phishing and destructive web sites,” Group-IB researchers said. “This assistance is built up of the Prometheus TDS administrative panel, in which an attacker configures the essential parameters for a destructive marketing campaign: downloading destructive files, and configuring restrictions on users’ geolocation, browser model, and operating program.”
The company is also recognised to hire third-celebration infected websites that are manually extra by the campaign’s operators and act as a intermediary concerning the attacker’s administrative panel and the user. To reach this, a PHP file named “Prometheus.Backdoor” is uploaded to the compromised web-site to obtain and send out again information about the victim, based mostly on which a choice is taken as to irrespective of whether to deliver the payload to the consumer and/or to redirect them to the specified URL.
The assault plan commences with an email made up of a HTML file, a link to a world-wide-web shell that redirects buyers to a specified URL, or a website link to a Google Doc which is embedded with an URL that redirects people to the malicious connection that when possibly opened or clicked sales opportunities the recipient to the contaminated internet site, which stealthily collects essential facts (IP tackle, Person-Agent, Referrer header, time zone, and language knowledge) and then forwards this information to the Prometheus admin panel.
In the remaining section, the administrative panel requires duty for sending a command to redirect the user to a particular URL, or to send out a malware-ridden Microsoft Phrase or Excel doc, with the consumer redirected to a legit web site like DocuSign or USPS quickly soon after downloading the file to mask the malicious activity. In addition to distributing malicious information, researchers found that Prometheus TDS is also used as a vintage TDS to redirect end users to distinct websites, this kind of as fake VPN web sites, doubtful portals offering Viagra and Cialis, and banking phishing sites.
“Prometheus TDS also redirected people to web-sites offering pharmaceutical solutions,” the scientists noted. “Operators of this sort of web-sites typically have affiliate and partnership applications. Partners, in flip, generally vacation resort to aggressive SPAM campaigns in buy to enhance the earnings inside of the affiliate method. Investigation of the Prometheus infrastructure by Team-IB specialists uncovered links that redirect end users to internet sites relating to a Canadian pharmaceutical business.”