New traces of a malware campaign that is distributing Hancitor has been detected recently by the Threat Intelligence analysts of Group-IB actively distributed over Prometheus TDS, an underground platform.
Earlier the security researchers of the security firm, Unit 42 and McAfee described that experts are evolving and that’s why they have shifted their interest in an untypical pattern of distribution of the downloader.
As they have discovered several incidents in which they found that attackers threat actors are also evolving, that’s why they are using several sophisticated methods to hide malicious links from web scanners’ radars into legitimate-looking documents.
Experts detected similar patterns that are used to distribute other malware. In their analysis, they have detected more than 3000 targets of separate malware campaigns that are using similar schemes.
According to the Group-IB GR report shared with Cyber Security News, the two most active campaigns were ascertained by the researchers, among which the first one was targeted on the users from Belgium, while the second one was targeted on several bodies in the United States, and here they are:-
- Companies
- Corporation
- Universities
- Government organizations
On further analysis, a sale notice was identified by the researchers of Group-IB, and this notice is all about a service that is designed to distribute and redirect users malicious files, phishing campaigns, and malicious sites on one of the underground platforms, “Prometheus TDS (Traffic Direction System).”
Attack scheme using Prometheus TDS
Using the Prometheus TDS the threat actors distribute the malware and to do so they have to follow several crucial stages.
However, to make it more clear, in the above image you can see the demonstration that is explained by the cybersecurity analysts of Group-IB.
Prometheus.Backdoor Analysis
The experts came to know that the Prometheus TDS were being used to carry out malicious campaigns by the threat actors, and the hackers do this work by installing Prometheus.Backdoor, not only this but the threat actors control the backdoor with the help of the admin panel.
According to the report, once the user enters the infected site, then the Prometheus.Backdoor generally gathers all the data like the IP address, User-Agent, language data, Referrer header, and time zone, after that the hackers eventually forwards all the collected data to the Prometheus admin panel.
Malware Campaigns
After investigating the malicious attack, the experts have mentioned the malware campaigns that are involved, which are given below:-
- Campo Loader
- Hancitor
- QBot
- IcedID
- VBS Loader
- Buer Loader
- SocGholish
- Fake VPN
- Viagra SPAM
- Banking phishing
Fake VPN, spam, and password brute-forcing
This malware campaign is quite dangerous, and the researchers have detected that apart from malicious campaigns the Prometheus TDS is also used to redirect users for sites allowing fake VPN solutions, phishing pages for banking formation, and selling pharmaceutical commodities such as Viagra spam.
BRChecker is another service that is being operated by the same threat actor who is operating the Prometheus. However, BRChecker is a service that has a password brute-force tool, which is generally used for sharing the infrastructure which is generally used by the TDS service.
The security analysis has investigated the whole campaign very carefully, and they came to know about the attack scheme.
The scheme generally began with an email that carries a link to a web shell that redirects users to a particular URL, an HTML file, or a link to a Google Doc that’s installed with an URL that provides a path to the users which leads to the malicious link.
However, the experts are trying to get more details about both the services that are being carried out by the threat actors.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
