Experts Discover Promotheus TDS, An Underground MaaS

 

Cybersecurity experts from Group-IB in its technical research on Promotheus TDS, an underground MaaS (Malware as a service), found that it has been providing service for distribution of various malware variants such as Campo Loader, Buer Loader, Qbot, Hancitor, IcedID, and SocGholish. Promotheus has been in aggressive use in underground forums since last year. It is a platform where one can send emails, perform social engineering and work along traffic. Besides this, TDS (Traffic Direction System) can also be used for web shell execution and redirecting creation and management, work using proxy, compatible with Google accounts, and also enable users against blacklists. 

Security Week reports "typical attack involving Prometheus TDS starts with a malicious email that either carries a HTML file to redirect the victim to a compromised site, a link to a web shell that performs a redirection. Once the victim follows the link, they are redirected to the Prometheus.Backdoor URL where their data is collected and sent to the Prometheus TDS admin panel, which decides how to serve the next stage." The service can be availed for $250 on a monthly basis. Besides providing distribution of malicious files, TDS is also used for redirecting victims to malicious and Phishing sites. 

The first campaign of Promotheus TDS was found in 2021, along with additional active campaigns, and a total of 3000 users have been found till date. TDS includes of an administrator panel that lets hackers to modify different parameters for malware campaigns, consisting download of malicious files, restricting geolocation, operating systems and browser. Third-party compromised sites are used as a leverage between victims and administrative panels. Experts found a PHP file named 'Promotheus' backdoor in one of these sites. 

It is built to steal user data and transmit it. "The service has been used to send malicious emails to more than 3,000 addresses to date. The most active campaign targeted individuals in Belgium (more than 2,000 emails), while the second largest attack targeted US entities (more than 260 emails targeting government agencies and organizations in sectors such as finance, insurance, healthcare, energy and mining, retail, IT, and cybersecurity)," said the Security Week.