Prometheus Hacker Group Uses Traffic Direction System to Deliver Malware Binaries to Targets

The TDS (Traffic Direction System) of the Prometheus hacker group has been analyzed recently by the cybersecurity researcher of BlackBerry. 

During their investigation, they detected that there is a correlation with a leaked Cobalt Strike SSL key pair, and several other malware families as well. And not only that even they have also reported that the threat actors are using TDS to deliver malware binaries to their targets.

The Prometheus TDS has been first identified in August 2021, and this Traffic Direction System is mainly used by the threat actors from Russia to perform several malicious operations like:-

  • Malware-as-a-Service (MaaS) operations.
  • Phishing redirections.

Apart from this, Prometheus is associated with the distribution of the following malware families:-

  • Buer Loader
  • Campo Loader
  • Hancitor
  • IcedID
  • QBot
  • SocGholish

Operation of Prometheus

Over the past few years, Traffic Direction Systems (TDS) has evolved a lot and they are basically a portion of an exploit kit (EK) redirection chain. 

But, due to the decline of EK landscape, the operators of Traffic Direction Systems (TDS) have evolved them and by taking advantage of these scenarios the Prometheus hacker group arose as a full-fledge platform for it.

The operators of the Prometheus group primarily depend on the cracked and leaked copies of the Cobalt Strike since the operators of Prometheus use the online handle of Ma1n.

While previously the Cobalt Strike adversary was conformed as a vital part of the execution chain of the Prometheus TDS, and now it’s been marked by the experts that from the Prometheus backdoor they are moving away.

With the use of an SSL private key Prometheus coincides, and here the SSL private key is one of the essential parts of Cobalt Strike installations that arrives within a cracked version of Cobalt Strike 4.2.

Here’s what the BlackBerry experts have stated:-

“This cracked version (and the SSL key) appears to be so heavily relied upon by Prometheus affiliates that we speculate that this same illegitimate copy of Cobalt Strike could perhaps be proliferated by the Prometheus operators themselves.” 

“We also found that by using clustering mechanisms such as the PROC_INJ_STUB value (which tracks the Cobalt Strike Team Server JAR) we can infer that the SSL key was migrated between version 4.2 to 4.4. This suggests that an entity had a desire to maintain access to Beacons across multiple versions.”

Moreover, there are several well-known hacker groups and malware who are using this cracked version of the Cobalt Strike, from the past couple of years, and here they are:-

  • StrongPity
  • FickerStealer
  • Fin7
  • Man1
  • Mirai
  • Qakbot
  • Bashlite
  • Gafgyt
  • IceID
  • Conti
  • Ryuk
  • BlackMatter
  • Cerber ransomware
  • Zebra2104

The operators of the Prometheus group mainly use the leaked build of Team Servers to execute all their malicious campaigns, and it has been revealed that they primarily target the public sector organizations.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Google Unveils New Intelligent, Real-Time Protections for Android Users

Google has once again raised the bar for mobile security by introducing two new AI-powered…

13 hours ago

Chinese National Faces 20 Years of Jail Time for Laundering Millions in Crypto

Daren Li, 41, a dual citizen of China and St. Kitts and Nevis, and a…

13 hours ago

Google to Issue CVEs for Critical Cloud Vulnerabilities

Google Cloud has announced a significant step forward in its commitment to transparency and security…

15 hours ago

GitLab Patches Critical Flaws Leads to Unauthorized Access to Kubernetes Cluster

GitLab has rolled out critical security updates to address multiple vulnerabilities in its Community Edition…

16 hours ago

Windows 0-Day Exploited in Wild with Single Right Click

A newly discovered zero-day vulnerability, CVE-2024-43451, has been actively exploited in the wild, targeting Windows systems…

17 hours ago

Automating Identity and Access Management for Modern Enterprises

Keeping track of who has access and managing their permissions has gotten a lot more…

1 day ago