A number of cybercriminal teams are leveraging a malware-as-a-service (MaaS) resolution to distribute a variety of malicious software program distribution campaigns that outcome within the deployment of payloads resembling Campo Loader, Hancitor,, , , and SocGholish in opposition to people in Belgium in addition to authorities businesses, firms, and firms within the U.S.
Dubbed “Prometheus TDS” (quick for Site visitors Route System) and accessible on the market on underground platforms for $250 a month since August 2020, the service is designed to distribute malware-laced Phrase and Excel paperwork and divert customers to phishing and malicious websites, based on a Group-IBshared with The Hacker Information.
Greater than 3,000 e mail addresses are stated to have been singled out by way of malicious campaigns during which Prometheus TDS was used to ship malicious emails, with banking and finance, retail, power and mining, cybersecurity, healthcare, IT, and insurance coverage rising the outstanding verticals focused by the assaults.
“Prometheus TDS is an underground service that distributes malicious recordsdata and redirects guests to phishing and malicious websites,” Group-IB researchers stated. “This service is made up of the Prometheus TDS administrative panel, during which an attacker configures the required parameters for a malicious marketing campaign: downloading malicious recordsdata, and configuring restrictions on customers’ geolocation, browser model, and working system.”
The service can be identified to make use of third-party contaminated web sites which are manually added by the marketing campaign’s operators and act as a intermediary between the attacker’s administrative panel and the consumer. To attain this, a PHP file named “Prometheus.Backdoor” is uploaded to the compromised web site to gather and ship again knowledge in regards to the sufferer, based mostly on which a call is taken as as to whether to ship the payload to the consumer and/or to redirect them to the desired URL.
The assault scheme commences with an e mail containing a HTML file, a hyperlink to an online shell that redirects customers to a specified URL, or a hyperlink to a Google Doc that is embedded with an URL that redirects customers to the malicious hyperlink that when both opened or clicked leads the recipient to the contaminated web site, which stealthily collects fundamental info (IP handle, Person-Agent, Referrer header, time zone, and language knowledge) after which forwards this knowledge to the Prometheus admin panel.
Within the last part, the executive panel takes duty for sending a command to redirect the consumer to a specific URL, or to ship a malware-ridden Microsoft Phrase or Excel doc, with the consumer redirected to a legit web site like DocuSign or USPS instantly after downloading the file to masks the malicious exercise. In addition to distributing malicious recordsdata, researchers discovered that Prometheus TDS can be used as a basic TDS to redirect customers to particular websites, resembling pretend VPN web sites, doubtful portals promoting Viagra and Cialis, and banking phishing websites.
“Prometheus TDS additionally redirected customers to websites promoting pharmaceutical merchandise,” the researchers famous. “Operators of such websites typically have affiliate and partnership applications. Companions, in flip, typically resort to aggressive SPAM campaigns in an effort to improve the earnings inside the associates program. Evaluation of the Prometheus infrastructure by Group-IB specialists revealed hyperlinks that redirect customers to websites referring to a Canadian pharmaceutical firm.”