Prometei Botnet Spreads Its Cryptojacker Worldwide

The Russian-language malware primarily enlists computers to mine Monero, but theoretically it can do worse.

An 8-year-old modular botnet is still kicking, spreading a cryptojacker and Web shell on machines spread across multiple continents.
Prometei was first discovered in 2020, but later evidence suggested that its been in the wild since at least 2016. In those intervening years it spread to more than 10,000 computers globally, in countries as diverse as Brazil, Indonesia, Turkey, and Germany, whose Federal Office for Information Security categorizes it as
a medium-impact threat
.
Prometeis reach is global due to its focus on widely used software vulnerabilities, explains Callie Guenther, senior manager of cyber-threat research at Critical Start. The botnet spreads through weak configurations and unpatched systems, targeting regions with inadequate cybersecurity practices. Botnets like Prometei typically do not discriminate by region but seek maximum impact by exploiting systemic weaknesses. [In this case], organizations using unpatched or poorly configured Exchange servers are particularly at risk.
Trend Micro details
what a Prometei attack looks like
: clunky in its initial infection but stealthy thereafter, capable of exploiting vulnerabilities in a variety of different services and systems, and focused on cryptojacking but capable of more.
Dont expect an initial Prometei infection to be terribly sophisticated.
The case Trend Micro observed began with a number of failed network login attempts from two IP addresses appearing to come from Cape Town, South Africa, which aligned closely with known Prometei infrastructure.
After its first successful login into a machine, the malware went to work testing out a variety of outdated vulnerabilities that might still be lingering in its targets environment. For example, it uses the half-decade old
BlueKeep
bug in the Remote Desktop Protocol (RDP) — rated a critical 9.8 out of 10 in the Common Vulnerability Scoring System — to try and achieve remote code execution (RCE). It uses the even older
EternalBlue
vulnerability to propagate via Server Message Block (SMB). On Windows systems, it tries the 3-year-old
ProxyLogon
arbitrary file write vulnerabilities CVE-2021-27065 and CVE-2021-26858, which have high 7.8 CVSS ratings.
Exploiting such old vulnerabilities could be read as lazy. In another light, its an effective approach to weeding out better-equipped systems belonging to more active organizations.
Prime targets are those systems that have not been or cannot be patched for some reason, which translates to them being either unmonitored or neglected from normal security processes, Mayuresh Dani, manager of security research at Qualys, points out. The malware authors want to go after easy pickings, and in todays connected world, I consider this intelligent, as if they know that their targets will be plagued by multiple security issues.
Once Prometei gets to where it wants to go, it has some neat tricks for achieving its ends. It uses a domain generation algorithm (DGA) to harden its command-and-control (C2) infrastructure, enabling it to continue operating even if victims try blocking one or more of its domains. It manipulates targeted systems to allow its traffic through firewalls, and runs itself automatically upon system reboots.
One particularly useful Prometei command evokes the WDigest authentication protocol, which stores passwords in plaintext in memory. WDigest is typically disabled in modern Windows systems, so Prometei forces those plaintext passwords, which it then dumps into a dynamic link library (DLL). Then, another Prometei command configures Windows Defender to ignore that particular DLL, allowing those passwords to be exfiltrated without raising any red flags.
The most obvious purpose of a Prometei infection appears to be cryptojacking — using infected machines to help mine the ultra-anonymous Monero cryptocurrency without their owners knowing it. Beyond that, though, it downloads and configures an Apache Web server that serves as a persistent Web shell. The Web shell allows attackers to upload more malicious files and execute arbitrary commands.
As Stephen Hilt, senior threat researcher at Trend Micro, points out, botnet infections are often associated with other kinds of attacks as well.
I always look at the cryptomining groups being a canary in the coal mine — its an indicator that theres probably more going on in your system, he says. If you look at
our 2021 blog
, there was LemonDuck, a ransomware group, and [Prometei] all within the same machines.
There is one specific part of the globe that Prometei does not touch.
The botnets Tor-based C2 server is made to specifically avoid certain exit nodes in some former Soviet countries. To further ensure the safety of Russian-language targets, it possesses a credential-stealing component that deliberately avoids affecting any accounts labeled Guest or Other user in Russian.
Older variants of the malware contained bits of Russian-language settings and language code, and the name Prometei is a translation of Prometheus in various Slavic languages. In the famous myth, Zeus programs an eagle to attack Prometheus liver every day, only for the liver to persist through reboots each night.

Last News
▸ Glasgow Council fined for weak security. ◂ Discovered: 26/12/2024 Category: security	▸ NSA PRISM causes controversy, yet seems lawful. ◂ Discovered: 26/12/2024 Category: security	▸ Google increases bug bounty rewards. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Prometei Botnet Spreads Its Cryptojacker Worldwide