Security researchers have identified a malware-distribution provider hackers use to deliver a multitude of ransomware threats to victims.
Researchers at Team-IB to start with noticed the services in the spring of 2021. An uncommon pattern of a downloader’s distribution, previously explained by researchers at Device 42 and McAfee, unearthed a new method designed to cover files containing destructive links from web scanners’ radars.
Group-IB’s scientists identified a similar pattern also will help distribute malware, these as Campo Loader, IcedID, QBot, SocGholish, and Buer Loader. They then identified at minimum 3,000 targets of separate malware campaigns working with the same plan.
Even more investigation founded the two most active strategies. The 1st campaign targeted people in Belgium, and the 2nd one particular aimed for providers, corporations, universities, and governing administration companies in the US.
Researchers explained they have handed in excess of proof of determined Prometheus TDS targets and influenced providers to the US, German, and Belgian CERTs.
Scientists concluded hackers carried out these strategies making use of the exact same malware-as-a-assistance answer. Scientists then discovered a sale discover for a assistance designed to distribute malicious information and redirect consumers to phishing and destructive internet sites on the dark web. This company is named Prometheus TDS (Visitors Direction Method).
The Prometheus TDS assistance distributes malicious information and redirects website visitors to phishing and malicious sites. It has an administrative panel, where by an attacker configures the important parameters for a malicious campaign: downloading malicious files and configuring limitations on users’ geolocation, browser version, and operating technique.
“To reduce victims of destructive strategies from interacting with the administrative panel instantly, which may possibly outcome in the attacker’s server currently being disclosed and blocked, Prometheus TDS takes advantage of 3rd-party infected internet sites that act as a intermediary in between the attacker’s administrative panel and the consumer,” explained scientists.
The assistance has operated due to the fact August 2020 and expenses hackers $250 per month.
“The operator of the provider claimed that Prometheus TDS is an ANTIBOT redirect procedure made to deliver out emails, function with visitors, and for social engineering. In addition, Prometheus TDS can validate web shells, produce and configure redirects, work by using proxy, and operate with Google accounts, and many others.,” explained scientists.
Additionally, the system can validate customers centered on a blacklist, creating it doable for malicious inbound links to steer clear of staying additional to antivirus and spam databases.
Some elements of this write-up are sourced from: