Threat Intelligence Blog

Understanding Prometheus TDS

Written by PRODAFT Team | Jul 1, 2024 12:07:24 PM
Introduction

Prometheus TDS emerged in 2020 as a Traffic Distribution System service, providing a feature for filtering and the redirection of potential victims to phishing and malicious websites or documents. The main module lies in the administrative panel, where affiliates could configure parameters for their deceitful campaigns, enhancing malicious campaigns by more precise target exfiltration & reducing the chance of being revealed.

Prometheus became a viable alternative to the previously used services, such as Ketairo TDS. Campaigns targeting primarily US and Western European countries were executed in conjunction with Prometheus TDS.

 

Functionality of Traffic Distribution Systems (TDS)

 

Traffic Distribution Systems (TDS) serve as intermediaries within networks, managing web traffic between websites. These systems play a crucial role in controlling and filtering web traffic, enabling the collection of statistics on network traffic in real time.

Through the filtering mechanisms, TDS allow threat actors to route traffic according to their preferences, filtering through user browsers, their IP addresses, location, OS etc.

Moreover, the owner of Prometheus also offers Reverse Proxy solutions to enhance anonymity.

Mode of Operation

Prometheus TDS executes its attacks in multiple stages, often initiating with deceptive phishing emails leading victims to compromised websites containing a specialized PHP script called Prometheus.Backdoor.

Upon interaction, Prometheus.Backdoor collects the victim’s data and sends it to the administrative panel, enabling further actions such as URL redirection or malicious file delivery. The transmission of malicious payloads is facilitated through specialized JavaScript code, often concealed within weaponized documents or archives.

Known Affiliation & Previous Campaigns

Prometheus TDS has garnered popularity among threat actors across various domains, offering relevant services tailored to enhance phishing, spear-phishing, affiliate marketing, and social engineering activities.

Notable payloads associated with Prometheus TDS include BazaLoader, Hancitor, QBOT, IcedID, and others. Affiliates can benefit from a wide range of features, including campaign management, traffic distribution, and bot protection modules, significantly amplifying their attack vectors.

Recent Developments and Collaborations

More recently, collaborations were observed between Prometheus owner Main and a prominent threat actor dubbed WeNNy, aiming to enhance obfuscation techniques for PHP web shells.

WeNNy has been an experienced member of dark web forums starting from 2009. His activities and offers are mostly connected to the FUD obfuscations and loaders.

This collaboration serves as evidence of the constant development of the service and utilization of advanced obfuscation methods to evade detection. 

Cybercriminals are always trying to stay one step ahead, making organizations unprepared for what's yet to come. If you would like to change the equation and ensure you keep your upper hand against cybercrime, get in touch with us.