Photo credit: www.darkreading.com
An eight-year-old modular botnet, known as “Prometei,” remains active, continuing to disseminate a cryptojacker and web shell across machines worldwide.
First detected in 2020, Prometei has been linked to cyber activities dating back to at least 2016. In that time, it has compromised over 10,000 computers across various nations, including Brazil, Indonesia, Turkey, and Germany. The Federal Office for Information Security in Germany has identified it as a medium-impact threat.
According to Callie Guenther, a senior manager in cyber-threat research at Critical Start, “Prometei’s global presence can be attributed to its exploitation of widespread software vulnerabilities.” This botnet targets poorly secured or outdated systems, particularly in regions with low cybersecurity standards. Guenther notes that organizations utilizing unpatched or inadequately configured Exchange servers are especially vulnerable, emphasizing the botnet’s strategy to maximize its impact by targeting systemic weaknesses.
A closer examination by Trend Micro reveals what a Prometei attack entails: while its initial mechanisms may lack sophistication, its stealthy operations allow it to exploit various system vulnerabilities and primarily focus on cryptojacking, though it has capabilities that extend beyond this.
Loud Entry Into Unloved Systems
Prometei infections usually begin with modest tactics.
Trend Micro documented an attack that started with several unsuccessful login attempts from two IP addresses in Cape Town, South Africa, which closely corresponded with known Prometei infrastructure. Once it successfully breached a target, the malware embarked on probing for outdated vulnerabilities within the system.
For instance, Prometei exploits a five-year-old vulnerability known as “BlueKeep” in the Remote Desktop Protocol (RDP), which has a critical rating of 9.8 on the Common Vulnerability Scoring System (CVSS), aiming for remote code execution. It also leverages the older EternalBlue vulnerability to spread via Server Message Block (SMB) and targets Windows environments with known issues like the ProxyLogon vulnerabilities rated high on the CVSS scale.
While the utilization of such outdated vulnerabilities might seem unambitious, it serves an effective purpose by selectively targeting less-secure systems belonging to organizations that may not prioritize cybersecurity.
Mayuresh Dani, a manager of security research at Qualys, explains, “The focus is on systems that remain unpatched or are otherwise neglected, presenting an easier target. This strategy is prudent; it implies an understanding that these systems are likely to harbor multiple security issues.”
Prometei’s Fire
Once inside, Prometei employs various tactics to further its agenda. It utilizes a domain generation algorithm (DGA) to fortify its command-and-control (C2) infrastructure, enabling persistence even if victims block specific domains. The malware bypasses firewalls, ensuring that its operations continue without interruption, and reinstalls itself during system reboots.
A notable feature of Prometei is its use of the WDigest authentication protocol, which can expose passwords stored in plaintext within memory. Although modern Windows systems disable this by default, Prometei manipulates the system to access these passwords, which it then captures into a dynamic link library (DLL) and configures Windows Defender to overlook it, facilitating quiet exfiltration of credentials.
Primarily, Prometei’s activities aim at cryptojacking—harnessing the processing power of infected machines for mining Monero, a privacy-focused cryptocurrency, without the owners’ consent. Furthermore, it sets up an Apache Web server, which functions as a persistent web shell, allowing attackers to upload additional malicious files and execute commands remotely.
As noted by Stephen Hilt, a senior threat researcher at Trend Micro, botnet infections often indicate a broader range of cyber threats.
“I regard groups involved in cryptomining as early warning signs—if they’re operating on your system, it’s likely that other malicious activities are occurring,” he states, referring to a previous instance where both ransomware group LemonDuck and Prometei attacked the same targets.
Russia Links
Interestingly, Prometei has been noted to avoid a key geographic area: former Soviet nations.
The botnet’s architecture includes a Tor-based C2 server that avoids specific exit nodes located in these regions. Moreover, it contains a credential-stealing functionality that deliberately ignores accounts labeled “Guest” or “Other user” in Russian, allowing it to protect its operations in Russian-speaking environments.
Earlier versions of Prometei included Russian-language settings, and its name derives from “Prometheus” in various Slavic languages. The mythological Prometheus endured perpetual suffering, much like the botnet’s tenacity in the digital landscape.
Source
www.darkreading.com