Cybercrime is fueled by a complex ecosystem of criminal groups that specialize on different pieces of the final attack chains experienced by victims. There are the malware developers, the access brokers, the spammers, the private information sellers, the botnet operators, the malvertizers and more.
One service that is often overlooked but still plays an important role in malware delivery are so-called traffic direction systems (TDS). These are networks of compromised websites and other servers whose goal is to direct victims to malware or phishing pages. Due to the decline of web-based exploit kits and drive-by downloads in recent years, such services have fallen out of the spotlight, but an investigation into a TDS called Prometheus shows that they still play a key role in ransomware and other malware distribution.
What is Prometheus TDS?
According to a new report by researchers from Blackberry, Prometheus TDS appeared around September 2020 when it was advertised on an underground Russian forum by a user called Ma1n. The user has been active in the cybercrime scene since at least 2018, previously advertising mass email services and non-blacklisted business-grade SMTP servers that can be used to send hundreds of thousands of emails with proper SPF, DKIM and DMARC headers.
Ma1n also previously offered web traffic redirect services via existing TDS solutions such as Blacktds and KeitaroTDS. It seems the expertise acquired over the years led to them creating their own solution dubbed Prometheus.
The goal of such traffic direction systems is to redirect legitimate web users to malware, phishing pages, tech support scams, or other malicious operations. This is achieved by placing malicious scripts on compromised websites that intercept traffic or through malicious advertisements that are served to users on legitimate websites through ad networks.
The main benefit of a TDS is that it allows cybercriminals to define redirection rules from an administration panel based on the type of visitors hitting the system’s web of malicious landing pages. On compromised websites, Prometheus achieves this through a simple PHP backdoor script that fingerprints visitors — browser, OS, timezone, language settings — and sends the information back to a command-and-control server from where it pulls redirect instructions defined by attackers. This means that different categories of visitors can be redirected to different campaigns depending on the target audience the different groups renting TDS services want to reach and victims can also end up seeing localized scams in their language.
The BlackBerry researchers believe the Prometheus PHP backdoor is deployed on websites that use a vulnerable version of the PHPMailer software. However, the use of this script has declined significantly over the past few months, possibly in favor of other methods.
According to an August analysis of Prometheus by Russian cybercrime investigation firm Group-IB, a typical attack chain will start with spam emails that contain either an HTML attachment, a Google Docs URL, or a link to a web shell hosted on a compromised server. In all cases, the goal is to get the user to open a malicious URL that will lead to a Prometheus PHP backdoor. In the second stage, the backdoor collects the visitor info, sends it to the admin panel and then decides to either serve malware directly to the user or redirect them to another URL that has been defined by attackers.
Prometheus is used by many cybercriminal groups
In its analysis, Group-IB mentioned seeing Prometheus distributing Campo Loader, also known as BazaLoader, in the form of decoy Microsoft Office files with malicious macros attached. Malware loaders are small first-stage downloaders that are used to distribute other malicious programs, often as part of a pay-per-install service offered to cybercriminals. Campo Loader was used in the past to distribute TrickBot and the Ursnif/Gozi Trojans. TrickBot was used itself in the past as an access facilitator to deploy Ryuk ransomware and other malware.
According to Group-IB, other Trojans distributed by Prometheus include Hancitor, which was linked to Ficker Stealer, Cobalt Strike, and Send-Safe; IcedID, which is known to distribute ransomware; QBot, a general-purpose banking Trojan; VBS Loader; Buer Loader; and SocGholish. The lures used by Prometheus to distribute these malware programs varies from fake Chrome updates and VPN software to malicious documents that claim to need DocuSign authorization and ZIP archives with malicious scripts. The TDS has also been used to redirect users to bank phishing sites, Viagra spam and more.
The pirated Cobalt Strike link
BlackBerry researchers noticed a significant correlation between Prometheus affiliates and the use of the Cobalt Strike Beacon with a particular pirated encryption key. Cobalt Strike is a commercial penetration testing toolkit, but it has been adopted by many cybercriminal groups as a backdoor because of its stealthy capabilities.
The Cobalt Strike implant called a beacon that’s deployed on compromised machines communicates back to a command-and-control server called a team server. The traffic between the beacon is encrypted using public-private cryptography with a key pair generated when the team server is first deployed. However, the BlackBerry researchers noted many Prometheus-related malware distribution campaigns using the same Cobalt Strike key pair.
One of these key pairs has also been found and documented by researcher Didier Stevens of NVISO Labs who noted that along with another key pair, it accounts for 25% of Cobalt Strike team servers on the internet. This suggests it’s likely distributed as part of a pirated version of Cobalt Strike, since normally each team server deployment should have its unique key pair.
“While we cannot say for certain, it’s possible that someone connected with the Prometheus TDS is maintaining this cracked copy and providing it upon purchase,” the BlackBerry researchers said. “It is also possible that this cracked installation may be provided as part of a standard playbook or a virtual machine (VM) installation.”
Since January 2020, many cybercriminal groups have used Cobalt Strike with this unique key pair and while it’s not clear if all were Prometheus customers, the BlackBerry researchers have seen evidence that the following were: DarkCrystalRAT, FickerStealer, Cerber, REvil (a.k.a. Sodinokibi), Ryuk (a.k.a. WizardSpider) and BlackMatter. Additionally, other groups mentioned in Group-IB’s Prometheus analysis last year have used the same Cobalt Strike pirated version: MAN1, FIN7 and IcedID.
“Searching across our customers’ data for signs of Prometheus/Cobalt Strike-related activity reveals some interesting trends,” the BlackBerry researchers said. “The list of inbound TCP ports shows evidence of port scanning, with threat actors performing reconnaissance of Internet-facing infrastructure. In all likelihood, they are doing so in search of one of the greatest Achilles’ heels for organizations: remotely exploitable services.”
Scans on port 3389 used by the Windows Remote Desktop Protocol (RDP) were most common and seen in almost 60% of cases. This is not surprising, since RDP has been one of the main ways for ransomware gangs to break into networks and, as previously seen, the list of Prometheus customers includes many ransomware groups. Also, some Cobalt team servers were seen operating as RDP jump stations for Prometheus. Scans on ports 443 (HTTPS), 21 (Telnet) and 80 (HTTP) were also common, as expected. The researchers noted multiple connections from Tomcat Java web servers back to a Prometheus-related IP address, which could suggest some Tomcat vulnerability exploitation and Cobalt beacon deployment.
Across campaigns using the pirated Cobalt Strike version and key pair, organizations in the public sector were by far the most common target at 21%, followed by those in commerce, retail, education and health — all in the low single digits percentage-wise.
“Prometheus can be considered a full-bodied service/platform that allows threat groups to purvey their malware or phishing operations with ease,” the BlackBerry researchers said. “Think of Prometheus like a freight transport infrastructure, except instead of carrying food or petrochemicals, it carries a range of cyber offensive capabilities and malware to its targets. The irony of this analogy is that services like Prometheus enable bad actors to target companies that provide actual infrastructure – such as freight transport and other critical services – in the physical world.”