A link between the Prometheus traffic direction system (TDS) and a cracked copy of Cobalt Strike is suspected. Both are being given to multiple threat actors as tools for orchestrating post-exploitation actions.
How did things turn out?
BlackBerry researchers observed similarities between an unauthorised version of Cobalt Strike and Prometheus TDS-related activities, which might be spread by Prometheus operators.
Experts speculated that the cracked version of Cobalt Strike is being managed by someone related to the Prometheus TDS and being sold. It might also come as part of a regular playbook or a virtual machine installation.
Prometheus TDS is marketed as a solution for mass phishing redirection to rogue landing pages used to transmit malware payloads.
According to the most recent offering on Russian underground forums, the malware service costs $250 a month.
The Ability Of Prometheus
A web of malicious infrastructure, PHP backdoors, malicious email distribution, illicit file-hosting using legitimate services, traffic redirection, and delivery of malicious files are some of Prometheus’ key characteristics.
According to a new investigation by Blackberry researchers, Prometheus TDS first appeared in September 2020, when a user named Ma1n advertised it on an underground Russian forum. Since at least 2018, the user has been engaged in the cybercrime sector, previously promoting mass email services and non-blacklisted business-grade SMTP servers capable of sending hundreds of thousands of emails with valid SPF, DKIM, and DMARC headers.
Previously, Ma1n provided web traffic redirection services through existing TDS systems like Blacktds and KeitaroTDS. They appear to have developed their own solution, nicknamed Prometheus, as a result of their years of experience.
The purpose of traffic redirection systems like these is to send genuine online visitors to malware, phishing pages, tech support scams, and other criminal activities. This is accomplished by injecting malicious scripts into compromised websites to intercept traffic, or by serving malicious adverts to users on legal websites via ad networks.
The main advantage of a TDS is that it allows hackers to establish redirection rules based on the sort of visitors hitting the system’s web of malicious landing pages from an administration panel. Prometheus accomplishes this on hacked websites using a simple PHP backdoor script that fingerprints visitors (browser, OS, timezone, and language settings) and sends the information to a command-and-control server, from which it retrieves redirect instructions given by attackers. This means that depending on the target demographic that the various groups renting TDS services want to reach, different kinds of visitors might be steered to different campaigns, and victims may end up seeing localised scams in their language.
Who has profited from its application?
FIN7, FickerStealer, Qakbot, DarkCrystal RAT, IceID, BlackMatter, Ryuk, Cerber, and REvil are just a few of the threat actors and ransomware groups that have used the cracked version of Cobalt Strike in the previous two years.
In addition, the same Cobalt Strike Beacon was seen in actions linked to an initial access broker named Zebra2104. MountLocker, Phobos, and StrongPity all use broker services.
Security agencies are concerned about the combination offering of Prometheus TDS and the cracked Cobalt Strike tool. Multiple threat actors are already using the service, indicating that it is in great demand. Furthermore, it underpins the reality that hackers are fast adopting a business-like professionalism with malicious services.