Monday, July 15, 2024

Prometheus Hacker Group Uses Traffic Direction System to Deliver Malware Binaries to Targets

The TDS (Traffic Direction System) of the Prometheus hacker group has been analyzed recently by the cybersecurity researcher of BlackBerry. 

During their investigation, they detected that there is a correlation with a leaked Cobalt Strike SSL key pair, and several other malware families as well. And not only that even they have also reported that the threat actors are using TDS to deliver malware binaries to their targets.

The Prometheus TDS has been first identified in August 2021, and this Traffic Direction System is mainly used by the threat actors from Russia to perform several malicious operations like:-

  • Malware-as-a-Service (MaaS) operations.
  • Phishing redirections. 

Apart from this, Prometheus is associated with the distribution of the following malware families:-

  • Buer Loader
  • Campo Loader
  • Hancitor
  • IcedID
  • QBot
  • SocGholish

Operation of Prometheus

Over the past few years, Traffic Direction Systems (TDS) has evolved a lot and they are basically a portion of an exploit kit (EK) redirection chain. 

But, due to the decline of EK landscape, the operators of Traffic Direction Systems (TDS) have evolved them and by taking advantage of these scenarios the Prometheus hacker group arose as a full-fledge platform for it.

The operators of the Prometheus group primarily depend on the cracked and leaked copies of the Cobalt Strike since the operators of Prometheus use the online handle of Ma1n.

While previously the Cobalt Strike adversary was conformed as a vital part of the execution chain of the Prometheus TDS, and now it’s been marked by the experts that from the Prometheus backdoor they are moving away.

With the use of an SSL private key Prometheus coincides, and here the SSL private key is one of the essential parts of Cobalt Strike installations that arrives within a cracked version of Cobalt Strike 4.2.

Here’s what the BlackBerry experts have stated:-

“This cracked version (and the SSL key) appears to be so heavily relied upon by Prometheus affiliates that we speculate that this same illegitimate copy of Cobalt Strike could perhaps be proliferated by the Prometheus operators themselves.” 

“We also found that by using clustering mechanisms such as the PROC_INJ_STUB value (which tracks the Cobalt Strike Team Server JAR) we can infer that the SSL key was migrated between version 4.2 to 4.4. This suggests that an entity had a desire to maintain access to Beacons across multiple versions.”

Moreover, there are several well-known hacker groups and malware who are using this cracked version of the Cobalt Strike, from the past couple of years, and here they are:-

  • StrongPity
  • FickerStealer
  • Fin7
  • Man1
  • Mirai
  • Qakbot
  • Bashlite
  • Gafgyt
  • IceID
  • Conti
  • Ryuk
  • BlackMatter
  • Cerber ransomware
  • Zebra2104

The operators of the Prometheus group mainly use the leaked build of Team Servers to execute all their malicious campaigns, and it has been revealed that they primarily target the public sector organizations.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles