Friday, March 29, 2024

Prometheus Hacker Group Uses Traffic Direction System to Deliver Malware Binaries to Targets

The TDS (Traffic Direction System) of the Prometheus hacker group has been analyzed recently by the cybersecurity researcher of BlackBerry. 

During their investigation, they detected that there is a correlation with a leaked Cobalt Strike SSL key pair, and several other malware families as well. And not only that even they have also reported that the threat actors are using TDS to deliver malware binaries to their targets.

The Prometheus TDS has been first identified in August 2021, and this Traffic Direction System is mainly used by the threat actors from Russia to perform several malicious operations like:-

  • Malware-as-a-Service (MaaS) operations.
  • Phishing redirections. 

Apart from this, Prometheus is associated with the distribution of the following malware families:-

  • Buer Loader
  • Campo Loader
  • Hancitor
  • IcedID
  • QBot
  • SocGholish

Operation of Prometheus

Over the past few years, Traffic Direction Systems (TDS) has evolved a lot and they are basically a portion of an exploit kit (EK) redirection chain. 

But, due to the decline of EK landscape, the operators of Traffic Direction Systems (TDS) have evolved them and by taking advantage of these scenarios the Prometheus hacker group arose as a full-fledge platform for it.

The operators of the Prometheus group primarily depend on the cracked and leaked copies of the Cobalt Strike since the operators of Prometheus use the online handle of Ma1n.

While previously the Cobalt Strike adversary was conformed as a vital part of the execution chain of the Prometheus TDS, and now it’s been marked by the experts that from the Prometheus backdoor they are moving away.

With the use of an SSL private key Prometheus coincides, and here the SSL private key is one of the essential parts of Cobalt Strike installations that arrives within a cracked version of Cobalt Strike 4.2.

Here’s what the BlackBerry experts have stated:-

“This cracked version (and the SSL key) appears to be so heavily relied upon by Prometheus affiliates that we speculate that this same illegitimate copy of Cobalt Strike could perhaps be proliferated by the Prometheus operators themselves.” 

“We also found that by using clustering mechanisms such as the PROC_INJ_STUB value (which tracks the Cobalt Strike Team Server JAR) we can infer that the SSL key was migrated between version 4.2 to 4.4. This suggests that an entity had a desire to maintain access to Beacons across multiple versions.”

Moreover, there are several well-known hacker groups and malware who are using this cracked version of the Cobalt Strike, from the past couple of years, and here they are:-

  • StrongPity
  • FickerStealer
  • Fin7
  • Man1
  • Mirai
  • Qakbot
  • Bashlite
  • Gafgyt
  • IceID
  • Conti
  • Ryuk
  • BlackMatter
  • Cerber ransomware
  • Zebra2104

The operators of the Prometheus group mainly use the leaked build of Team Servers to execute all their malicious campaigns, and it has been revealed that they primarily target the public sector organizations.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles