Researchers at BlackBerry have shone a light on a malicious traffic delivery service called Prometheus, used by threat actors used to facilitate Malware-as-a-Service (MaaS) operations and large-scale phishing redirection campaigns.
“Prometheus can be considered a full-bodied service/platform that allows threat groups to purvey their malware or phishing operations with ease,” BlackBerry said in a report released this morning.
First identified last August by researchers at Group IB, Prometheus sells access to its service through underground forums on a subscription basis, with its prices ranging from US$30 for two days to US$250 for a month.
The person behind Prometheus uses the name “Ma1n” on various Russian hack forums. The service is pitched to a primarily Russian customer base, says BlackBerry. Initially they sold various exploit kits like PowerMTA and offered services in form of “high quality redirects.” This work and knowledge led then to create Prometheus TDS, the report says.
A traffic delivery service (TDS) is a system designed to (re)direct users from one web location to another, says the report, based on the configuration set by its operator. The TDS helps to deliver malware binaries to targets via a complex web of phishing, maldocs and HTTP redirection.
TDSs aren’t new, the report makes clear. They used to be an integral part of an exploit kit’s execution chain, redirecting an unwitting user to a “landing page” where their computer would be fingerprinted and served with an exploit where possible. But the exploit kit (EK) landscape has been on the decline in recent years thanks to a concerted effort by law enforcement, browser hardening by developers, and declines in the use of Internet Explorer (IE) and Flash, the report says.
As a result TDSes have evolved into their own independent entities that are largely part of Crimeware-as-a-Service (CaaS) offerings, which a threat actor offers for either rent or sale in specialized forums located on the dark web. Past examples of this are the EITest TDS that exclusively targeted IE users, BlackTDS, which offered services for as little as US$16/day, and Seamless TDS.
The report says TDS traffic is typically funneled from one of two main sources; malicious ads (malvertising) on legitimate websites, or on compromised legitimate websites that contain malicious code. “Once a victim is caught in this web of redirects, they are at the mercy of the TDS and will be redirected to a location that serves malware, phishing scams, exploit kits or tech support scams,” the report says.
Prometheus works slightly differently: Targets are funneled via a spam email that contains either an HTML file, a Google Docs page, or a web shell redirector, says BlackBerry. These components each contain an embedded URL designed to redirect the user to a first stage payload, or to a website that has been compromised by the threat actor and hosts a PHP-based backdoor. The backdoor, says the report, is used to glean various types of data from the victim, which gets sent back to the Prometheus TDS administrative panel. The admin panel could then choose to send instructions back to the compromised website/PHP backdoor, to serve the victim with malware, or redirect them to another page that might contain a phishing scam.
While Prometheus employs several bespoke offensive solutions, it also appears to lean heavily on the Cobalt Strike Beacon adversary simulation and threat emulation software, says the report. Cracked versions of Cobalt Strike are often used by threat actors for reconnaissance of hacked IT systems.
The report also uses work done by cybersecurity researcher Didier Stevens of NVISO Labs who found a private SSL key used in malicious Cobalt Strike installations. That led BlackBerry researchers to look at overlaps between the leaked key and malware deployed via Prometheus TDS. As a result they concluded that a number of malicious campaigns are likely to have recently utilized a particular cracked version of Cobalt Strike and Prometheus. These include the REvil, Ryuk, Cerber and BlackMatter ransomware operations as well as the Quakbot malware package.
By coincidence, the BlackBerry report concludes, Stevens just released a multi-part blog series about decrypting Cobalt Strike traffic with known private SSL keys used by hackers. One of the private SSL keys was the twin to a public SSL key BlackBerry had been using to cluster Prometheus-related threat groups and malspam campaigns.
That means, says BlackBerry, it is possible incident response researchers could use this public/private pair to decrypt the Cobalt Strike Beacon traffic going to a threat actor’s command and control server by using Stevens’ processes and tooling.