Possible connections involving a membership-based crimeware-as-a-service (Caas) option and a cracked copy of Cobalt Strike have been established in what the researchers suspect is currently being supplied as a device for its clients to phase submit-exploitation routines.
Prometheus, as the company is called, initial came to light-weight in August 2021 when cybersecurity business Group-IB disclosed details of malicious computer software distribution strategies undertaken by cybercriminal teams to distribute Campo Loader, Hancitor, IcedID, QBot, Buer Loader, and SocGholish in Belgium and the U.S.
Costing $250 a month, it really is marketed on Russian underground forums as a traffic way program (TDS) to help phishing redirection on a mass scale to rogue landing web pages that are developed to deploy malware payloads on the focused programs.
“Prometheus can be deemed a total-bodied provider/platform that enables menace teams to purvey their malware or phishing functions with ease,” BlackBerry Exploration and Intelligence Group claimed in a report shared with The Hacker News. “The main parts of Prometheus contain a web of destructive infrastructure, destructive email distribution, illicit file-hosting by way of respectable solutions, site visitors redirection and the skill to provide malicious documents.”
Normally, the redirection is funneled from a single of two most important sources, particularly with the support of malicious advertisements (aka malvertising) on legitimate sites, or through web sites that have been tampered to insert malicious code.
In the circumstance of Prometheus, the attack chain commences with a spam email that contains a HTML file or a Google Docs webpage that, on conversation, redirects the sufferer to a compromised web page hosting a PHP backdoor that fingerprints the device to decide whether or not the to “to provide the target with malware or redirect them to a further webpage that could consist of a phishing rip-off.”
Earliest action linked to the operators of the provider, who go by the name “Ma1n” on hacking forums, is explained to have commenced in October 2018, with the creator connected to other illicit tools providing significant high quality redirects and PowerMTA kits for mailing to company mailboxes, ahead of placing up Prometheus TDS for sale on September 22, 2020.
That is not all. BlackBerry also located overlaps among Prometheus-linked exercise and an illegitimate edition of the Cobalt Strike adversary simulation and menace emulation computer software, elevating the likelihood that the duplicate is being “proliferated by the Prometheus operators on their own.”
“It can be achievable that a person connected with the Prometheus TDS is maintaining this cracked duplicate and supplying it on invest in,” the scientists explained. “It is also doable that this cracked installation may well be supplied as aspect of a common playbook or a virtual equipment (VM) set up.”
This is substantiated by the truth that a number of risk actors, like DarkCrystal RAT, FickerStealer, FIN7, Qakbot, and IceID, as perfectly as ransomware cartels these as REvil, Ryuk (Wizard Spider), BlackMatter, and Cerber, have applied the cracked duplicate in query around the last two several years.
On leading of that, the very same Cobalt Strike Beacon has also been noticed in conjunction with actions associated with an original accessibility broker tracked as Zebra2104, whose expert services have been place to use by teams like StrongPity, MountLocker, and Phobos for their own strategies.
“Whilst TDS’es usually are not a new strategy, the amount of complexity, aid and very low financial value adds credence to the idea that this is a craze that is likely to increase in the risk landscape’s in the vicinity of future,” the researchers mentioned.
“The quantity of teams that are using offerings these kinds of as the Prometheus TDS, communicate to the good results and efficacy of these illicit infrastructure for employ the service of products and services, which are in essence entire-fledged enterprises that guidance the malicious pursuits of groups regardless of their sizing, amount of resourcing or motives.”
Observed this write-up attention-grabbing? Stick to THN on Facebook, Twitter ๏ and LinkedIn to study additional exceptional material we put up.
Some parts of this article are sourced from:
thehackernews.com