Wednesday, December 18, 2024
Homecyber securityPrometheus Hacker Group Uses Traffic Direction System to Deliver Malware Binaries to...

Prometheus Hacker Group Uses Traffic Direction System to Deliver Malware Binaries to Targets

Published on

SIEM as a Service

The TDS (Traffic Direction System) of the Prometheus hacker group has been analyzed recently by the cybersecurity researcher of BlackBerry. 

During their investigation, they detected that there is a correlation with a leaked Cobalt Strike SSL key pair, and several other malware families as well. And not only that even they have also reported that the threat actors are using TDS to deliver malware binaries to their targets.

The Prometheus TDS has been first identified in August 2021, and this Traffic Direction System is mainly used by the threat actors from Russia to perform several malicious operations like:-

- Advertisement - SIEM as a Service
  • Malware-as-a-Service (MaaS) operations.
  • Phishing redirections. 

Apart from this, Prometheus is associated with the distribution of the following malware families:-

  • Buer Loader
  • Campo Loader
  • Hancitor
  • IcedID
  • QBot
  • SocGholish

Operation of Prometheus

Over the past few years, Traffic Direction Systems (TDS) has evolved a lot and they are basically a portion of an exploit kit (EK) redirection chain. 

But, due to the decline of EK landscape, the operators of Traffic Direction Systems (TDS) have evolved them and by taking advantage of these scenarios the Prometheus hacker group arose as a full-fledge platform for it.

The operators of the Prometheus group primarily depend on the cracked and leaked copies of the Cobalt Strike since the operators of Prometheus use the online handle of Ma1n.

While previously the Cobalt Strike adversary was conformed as a vital part of the execution chain of the Prometheus TDS, and now it’s been marked by the experts that from the Prometheus backdoor they are moving away.

With the use of an SSL private key Prometheus coincides, and here the SSL private key is one of the essential parts of Cobalt Strike installations that arrives within a cracked version of Cobalt Strike 4.2.

Here’s what the BlackBerry experts have stated:-

“This cracked version (and the SSL key) appears to be so heavily relied upon by Prometheus affiliates that we speculate that this same illegitimate copy of Cobalt Strike could perhaps be proliferated by the Prometheus operators themselves.” 

“We also found that by using clustering mechanisms such as the PROC_INJ_STUB value (which tracks the Cobalt Strike Team Server JAR) we can infer that the SSL key was migrated between version 4.2 to 4.4. This suggests that an entity had a desire to maintain access to Beacons across multiple versions.”

Moreover, there are several well-known hacker groups and malware who are using this cracked version of the Cobalt Strike, from the past couple of years, and here they are:-

  • StrongPity
  • FickerStealer
  • Fin7
  • Man1
  • Mirai
  • Qakbot
  • Bashlite
  • Gafgyt
  • IceID
  • Conti
  • Ryuk
  • BlackMatter
  • Cerber ransomware
  • Zebra2104

The operators of the Prometheus group mainly use the leaked build of Team Servers to execute all their malicious campaigns, and it has been revealed that they primarily target the public sector organizations.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing...

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase...

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT,"...

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing...

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase...

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT,"...