Experts Discover Promotheus TDS, An Underground MaaS – E Hacking News

Author Avatar



Share post:


Cybersecurity experts from Group-IB in its technical research on Promotheus TDS,
an underground MaaS (Malware as a service), found that it has been providing
service for distribution of various malware variants such as Campo Loader, Buer
Loader, Qbot, Hancitor, IcedID, and SocGholish. Promotheus has been in
aggressive use in underground forums since last year. It is a platform where one
can send emails, perform social engineering and work along traffic. Besides
this, TDS (Traffic Direction System) can also be used for web shell execution
and redirecting creation and management, work using proxy, compatible with
Google accounts, and also enable users against blacklists. 

Security Week reports
“typical attack involving Prometheus TDS starts with a malicious email that
either carries a HTML file to redirect the victim to a compromised site, a link
to a web shell that performs a redirection. Once the victim follows the link,
they are redirected to the Prometheus.Backdoor URL where their data is collected
and sent to the Prometheus TDS admin panel, which decides how to serve the next
stage.” The service can be availed for $250 on a monthly basis. Besides
providing distribution of malicious files, TDS is also used for redirecting
victims to malicious and Phishing sites. 

The first campaign of Promotheus TDS
was found in 2021, along with additional active campaigns, and a total of 3000
users have been found till date. TDS includes of an administrator panel that
lets hackers to modify different parameters for malware campaigns, consisting
download of malicious files, restricting geolocation, operating systems and
browser. Third-party compromised sites are used as a leverage between victims and
administrative panels. Experts found a PHP file named ‘Promotheus’ backdoor in
one of these sites. 

It is built to steal user data and transmit it. “The service
has been used to send malicious emails to more than 3,000 addresses to date. The
most active campaign targeted individuals in Belgium (more than 2,000 emails),
while the second largest attack targeted US entities (more than 260 emails
targeting government agencies and organizations in sectors such as finance,
insurance, healthcare, energy and mining, retail, IT, and cybersecurity),” said
the Security Week.

The 'Interaction-Less' Flaws in Messaging Apps Allowed Hackers to Eavesdrop - E Hacking News
DHS Called On Hackers to Join Government During Black Hat Speech - E Hacking News