Prometei botnet targets Windows devices.
Cisco Talos’ threat intelligence team published a report revealing startling details of how cybercriminals are continually reinventing the way they can monetize their malicious tools and techniques. Reportedly, Cisco Talos researchers discovered a “complex” new campaign involving a multi-modular cryptojacking botnet named “Prometei.”
The botnet can spread in multiple ways, such as using the Windows Server Message Block protocol (SMB) exploits, stolen credentials, WMI, and PsExec. It contains a payload added specifically to mine for Monero cryptocurrency, while it can also take data from the victim’s device.
Prometei mainly exploits the SMB protocol to move across the targeted system laterally. The infection chain starts with compromising the device’s Windows SMB protocol through exploiting SMB vulnerabilities like EternalBlue or the more recent vulnerability SMBGhost.
It is worth noting that EternalBlue is a cyber-attack exploit developed by the U.S. National Security Agency (NSA). On April 14, 2017, the exploit was stolen and leaked by the Shadow Brokers hacker group. Since then, the exploit has been used in several malware attacks including recently reported Lucifer malware which infects Windows device to launch DDoS attack.
As for Prometei, the botnet uses brute-force and mimikatz attacks to scan, store, and try stolen credentials. The discovered passwords are sent to a C&C server for validity purposes and other modules to reuse them to verify passwords on systems using RDP and SMB protocols.
The malware secretly mines for Monero (XMR) and uses other tools to increase the number of systems participating in its crypto-mining pool. As per the researchers at Cisco Talos, this botnet can contain as many as 10,000 systems simultaneously.
In a blog post, Cisco Talos researchers wrote that:
The actor behind it is also likely its developer. The TTPs indicate we may be dealing with a professional developer, based on their ability to integrate SMB exploits such as Eternal Blue and authentication code and the use of existing open-source projects, such as Mimikatz and FreeRDP.
According to the Cisco Talos research team, Prometei has been active since March 2020 and its extensive modular system. The variety of techniques/tools that it uses to evade detection and compromise systems makes it a noteworthy discovery.
Prometei also uses 15 executable modules for obtaining the administrator password from the targeted computer. When the malware manages to obtain access to the infected machine’s administrative rights, it starts stealing all the data stored on the device.
The botnet is still active and has a hash generating frequency of over 1 million hashes per second. Currently, it has two different function branches; one is the C++ branch that performs crypto-mining, while the other is .NET based, and focuses on stealing credentials, obfuscation, and exploiting SMB protocol.
Interestingly, the main branch can function independently as it can directly communicate with the C2, performing mining, and steal credentials. Using bolted-on auxiliary modules, the malware can communicate through I2P or TOR networks to collect system information, identify open ports, and scan for stored cryptocurrency wallets.
After the system is compromised, it becomes part of the botnet army. The attacker can perform a wide range of tasks such as executing commands or programs, launching command shells, and setting RC4 encryption keys apart from crypto-mining and data theft.
According to Cisco Talos, the numbers of systems infected by Prometei are in the “low thousands,” and in four months, it has collected $1,250 per month.
“Although earnings of $1,250 per month doesn’t sound like a significant amount compared to some other cybercriminal operations, for a single developer in Eastern Europe, this provides more than the average monthly salary for many countries,” researchers noted.
The malware’s C2 requests are detected in Mexico, the US, Turkey, Brazil, and China. Despite that a C2 server was seized back in June, the operations of Prometei remain unaffected.