Prometheus Hacker Group Uses Traffic Direction System to Deliver Malware Binaries to Targets

The TDS (Traffic Direction System) of the Prometheus hacker group has been analyzed recently by the cybersecurity researcher of BlackBerry. 

During their investigation, they detected that there is a correlation with a leaked Cobalt Strike SSL key pair, and several other malware families as well. And not only that even they have also reported that the threat actors are using TDS to deliver malware binaries to their targets.

The Prometheus TDS has been first identified in August 2021, and this Traffic Direction System is mainly used by the threat actors from Russia to perform several malicious operations like:-

• Malware-as-a-Service (MaaS) operations.
• Phishing redirections.

Apart from this, Prometheus is associated with the distribution of the following malware families:-

• Buer Loader
• Campo Loader
• Hancitor
• IcedID
• QBot
• SocGholish

Operation of Prometheus

Over the past few years, Traffic Direction Systems (TDS) has evolved a lot and they are basically a portion of an exploit kit (EK) redirection chain. 

But, due to the decline of EK landscape, the operators of Traffic Direction Systems (TDS) have evolved them and by taking advantage of these scenarios the Prometheus hacker group arose as a full-fledge platform for it.

The operators of the Prometheus group primarily depend on the cracked and leaked copies of the Cobalt Strike since the operators of Prometheus use the online handle of Ma1n.

While previously the Cobalt Strike adversary was conformed as a vital part of the execution chain of the Prometheus TDS, and now it’s been marked by the experts that from the Prometheus backdoor they are moving away.

With the use of an SSL private key Prometheus coincides, and here the SSL private key is one of the essential parts of Cobalt Strike installations that arrives within a cracked version of Cobalt Strike 4.2.

Here’s what the BlackBerry experts have stated:-

“This cracked version (and the SSL key) appears to be so heavily relied upon by Prometheus affiliates that we speculate that this same illegitimate copy of Cobalt Strike could perhaps be proliferated by the Prometheus operators themselves.” 

“We also found that by using clustering mechanisms such as the PROC_INJ_STUB value (which tracks the Cobalt Strike Team Server JAR) we can infer that the SSL key was migrated between version 4.2 to 4.4. This suggests that an entity had a desire to maintain access to Beacons across multiple versions.”

Moreover, there are several well-known hacker groups and malware who are using this cracked version of the Cobalt Strike, from the past couple of years, and here they are:-

• StrongPity
• FickerStealer
• Fin7
• Man1
• Mirai
• Qakbot
• Bashlite
• Gafgyt
• IceID
• Conti
• Ryuk
• BlackMatter
• Cerber ransomware
• Zebra2104

The operators of the Prometheus group mainly use the leaked build of Team Servers to execute all their malicious campaigns, and it has been revealed that they primarily target the public sector organizations.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates