Potential connections between a subscription-based crimeware-as-a-service (Caas) solution and a cracked copy of Cobalt Strike have been established in what the researchers suspect is being offered as a tool for its customers to stage post-exploitation activities.
Prometheus was first discovered in August 2021 by Group-IB, a cybersecurity company. They revealed details about malicious software distribution campaigns that were carried out in Belgium and in the U.S .
.
Costing $250 a month, it’s marketed on Russian underground forums as a traffic distribution service (TDS) to enable phishing redirection on a mass scale to rogue landing pages that are designed to deploy malware payloads on the targeted systems.
“Prometheus can be considered a full-bodied service/platform that allows threat groups to purvey their malware or phishing operations with ease,” BlackBerry Research and Intelligence Team said in a report shared with The Hacker News. “The main components of Prometheus include a web of malicious infrastructure, malicious email distribution, illicit file-hosting through legitimate services, traffic redirection and the ability to deliver malicious files. “
Typically, the redirection is funneled from one of two main sources, namely with the help of malicious ads (aka malvertising) on legitimate websites, or via websites that have been tampered to insert malicious code.
In the case of Prometheus, the attack chain starts with a spam email containing a HTML file or a Google Docs page that, upon interaction, redirects the victim to a compromised website hosting a PHP backdoor that fingerprints the machine to determine whether the to “to serve the victim with malware or redirect them to another page that might contain a phishing scam. “
Earliest activity connected to the operators of the service, who go by the name “Ma1n” on hacking forums, is said to have commenced in October 2018, with the author linked to other illicit tools offering high quality redirects and PowerMTA kits for mailing to corporate mailboxes, before putting up Prometheus TDS for sale on September 22, 2020.
But that’s not the end. BlackBerry found that there were overlaps in Prometheus activity with an unlicensed version of Cobalt Strike threat simulation and threat emulation, which raises the possibility that this copy may be being “proliferated” by Prometheus users. “
“These researchers believe that somebody connected to the Prometheus-TDS may be maintaining the cracked copy of the Prometheus installation and providing it for purchase.” It is possible, however, that the cracked version of this installation could be included in a standard playbook installation or as a virtual machine installation (VM). “
This is substantiated by the fact that a number of threat actors, including DarkCrystal RAT, FickerStealer, FIN7, Qakbot, and IceID, as well as ransomware cartels such as REvil, Ryuk (Wizard Spider), BlackMatter, and Cerber, have used the cracked copy in question over the last two years.
On top of that, the same Cobalt Strike Beacon has also been observed in conjunction with activities associated with an initial access broker tracked as Zebra2104, whose services have been put to use by groups like StrongPity, MountLocker, and Phobos for their own campaigns.
“While TDS’es aren’t a new concept, the level of complexity, support and low financial cost adds credence to the theory that this is a trend that is likely to rise in the threat landscape’s near future,” the researchers noted.
” The number of people using Prometheus TDS services speaks volumes about the effectiveness and success of this illicit infrastructure for hiring that supports the malign activities of all groups, regardless of size or level of resource. “
