A number of cybercriminal groups are leveraging a malware-as-a-support (MaaS) option to distribute a wide vary of malicious software program distribution strategies that final result in the deployment of payloads this kind of as Campo Loader, Hancitor, IcedID, QBot, Buer Loader, and SocGholish towards persons in Belgium as well as governing administration businesses, organizations, and organizations in the U.S.
Dubbed “Prometheus TDS” (short for Site visitors Way Technique) and readily available for sale on underground platforms for $250 a thirty day period because August 2020, the company is created to distribute malware-laced Word and Excel documents and divert users to phishing and malicious web sites, according to a Group-IB report shared with The Hacker Information.
Far more than 3,000 email addresses are reported to have been singled out by means of malicious campaigns in which Prometheus TDS was utilized to ship malicious e-mail, with banking and finance, retail, power and mining, cybersecurity, health care, IT, and insurance policy emerging the prominent verticals qualified by the attacks.
“Prometheus TDS is an underground assistance that distributes destructive information and redirects guests to phishing and destructive web-sites,” Team-IB scientists claimed. “This service is built up of the Prometheus TDS administrative panel, in which an attacker configures the essential parameters for a malicious campaign: downloading destructive data files, and configuring limits on users’ geolocation, browser version, and operating program.”
The service is also recognised to hire third-social gathering infected web sites that are manually extra by the campaign’s operators and act as a intermediary concerning the attacker’s administrative panel and the user. To realize this, a PHP file named “Prometheus.Backdoor” is uploaded to the compromised web page to gather and ship back info about the target, primarily based on which a selection is taken as to irrespective of whether to send out the payload to the consumer and/or to redirect them to the specified URL.
The attack scheme commences with an email made up of a HTML file, a url to a web shell that redirects people to a specified URL, or a url to a Google Doc that is embedded with an URL that redirects end users to the malicious website link that when both opened or clicked sales opportunities the recipient to the infected web page, which stealthily collects fundamental details (IP handle, User-Agent, Referrer header, time zone, and language information) and then forwards this information to the Prometheus admin panel.
In the final stage, the administrative panel can take obligation for sending a command to redirect the person to a certain URL, or to mail a malware-ridden Microsoft Word or Excel document, with the consumer redirected to a respectable web page like DocuSign or USPS instantly following downloading the file to mask the destructive action. Aside from distributing destructive data files, researchers located that Prometheus TDS is also applied as a classic TDS to redirect people to certain web pages, this sort of as fake VPN internet websites, dubious portals offering Viagra and Cialis, and banking phishing web-sites.
“Prometheus TDS also redirected customers to sites marketing pharmaceutical products and solutions,” the scientists pointed out. “Operators of such web sites often have affiliate and partnership courses. Associates, in change, normally resort to intense SPAM campaigns in get to maximize the earnings inside the affiliate program. Evaluation of the Prometheus infrastructure by Group-IB professionals unveiled inbound links that redirect people to web-sites relating to a Canadian pharmaceutical enterprise.”
Located this short article interesting? Follow THN on Facebook, Twitter and LinkedIn to go through a lot more distinctive content material we post.
Some parts of this article are sourced from:
thehackernews.com