Dubbed “Prometheus” Malware as a service used by cybercriminals that available for sale on underground platforms for $250, the service is a Traffic Direction System (TDS) that’s designed to distribute malware-laced Word and Excel documents, and divert users to phishing and malicious sites.

More than 3,000 email addresses are said to have been singled out via malicious campaigns in which Prometheus TDS was used to send malicious emails, with banking and finance, retail, energy and mining, cybersecurity, healthcare, IT, and insurance emerging the prominent verticals targeted by the attacks.”This service is made up of the Prometheus TDS administrative panel, in which an attacker configures the necessary parameters for a malicious campaign: downloading malicious files, and configuring restrictions on users’ geolocation, browser version, and operating system.”

This service is made up of the Prometheus TDS administrative panel, in which an attacker configures the necessary parameters for a malicious campaign: downloading malicious files, and configuring restrictions on users’ geolocation, browser version, and OS.

The service is also known to employ third-party infected websites that are manually added by the campaign’s operators and act as a middleman between the attacker’s administrative panel and the user. To achieve this, a PHP file named “Prometheus.Backdoor” is uploaded to the compromised website to collect and send back data about the victim.

The attack scheme commences with an email containing a HTML file, a link to a web shell that redirects users to a specified URL, or a link to a Google Doc that’s embedded with an URL that redirects users to the malicious link that when either opened or clicked leads the recipient to the infected website, which stealthily collects basic information and then forwards this data to the Prometheus admin panel.

The administrative panel takes responsibility for sending a command to redirect the user to a particular URL, or to send a malware-ridden Microsoft Word or Excel document, with the user redirected to a legitimate site like DocuSign or USPS immediately after downloading the file to mask the malicious activity.

Besides distributing malicious files, researchers found that Prometheus TDS is also used as a classic TDS to redirect users to specific sites, such as fake VPN websites, dubious portals selling Viagra and Cialis, and banking phishing sites.