According to researchers at Group-IB, Prometheus TDS has been available in underground markets since August 2020, and for $250 a month, the Prometheus TDS administrative panel, allowing an attacker to download malicious files, and configure restrictions on users' geolocation, browser version, and operating system.
The service is a Traffic Direction System (TDS) designed to distribute malware-laced Microsoft Word and Excel documents, and redirect users to phishing and malicious sites.
How Cybercriminals are Leveraging Prometheus TDS Malware Service?
Group-IB report revealed that over 3,000 email addresses were singled out via malicious campaigns in which Prometheus TDS was employed to send malicious files, with financial, energy and mining, healthcare, IT, and insurance emerging as the prominent verticals targeted by the attacks.
The campaign commences with an email containing a HTML file, a web shell that redirects users to a specified URL, or link to a Google Doc embedded with an URL that redirects users to the malicious link which when opened or clicked leads the recipient to the infected website.
The malware-as-a-service (MaaS) solution distributes a wide range of malicious software via campaigns that result in the deployment of payloads such as IcedID, QBot, and Buer Loader, against high profile individuals and corporations in the United States and some other western countries.
And besides distributing malicious files, Prometheus TDS also redirect users to specific sites, like the fake site of a well-known VPN provider located at hXXps://huvpn[.]com/free-vpn/, which on clicking the download button initiates the download of a malicious EXE file.
The Group-IB report contains several unrelated malware campaigns carried out by different hacker groups using Prometheus TDS, and this finding supports the assumption that Prometheus TDS is a MaaS solution.