‘Prometei’ Botnet Expands Its Global Reach with Cryptojacking Activities

Threat Intelligence
‘Prometei’ Botnet Expands Its Global Reach with Cryptojacking Activities

Published:

Reading time: 3 min.

The Resilience of Prometei: An 8-Year-Old Modular Botnet Still Thriving

In the ever-evolving landscape of cybersecurity threats, few phenomena are as alarming as the persistence of certain botnets. One such botnet, known as Prometei, has been making headlines for its remarkable longevity and adaptability. First discovered in 2020, evidence suggests that Prometei has been operational since at least 2016, spreading its malicious payloads across more than 10,000 computers worldwide. From Brazil to Germany, this modular botnet has become a medium-impact threat, as classified by Germany’s Federal Office for Information Security.

A Global Threat

Prometei’s global reach can be attributed to its focus on exploiting widely used software vulnerabilities. According to Callie Guenther, senior manager of cyber-threat research at Critical Start, the botnet thrives in regions with inadequate cybersecurity practices. "Botnets like Prometei typically do not discriminate by region but seek maximum impact by exploiting systemic weaknesses," she explains. Organizations that fail to patch or properly configure their systems, particularly those using outdated Exchange servers, are especially vulnerable.

The Anatomy of a Prometei Attack

Trend Micro has provided insights into what a Prometei attack looks like. The initial infection may appear clunky, but the botnet quickly becomes stealthy, capable of exploiting a variety of vulnerabilities across different services and systems. While its primary focus is on cryptojacking—using infected machines to mine the Monero cryptocurrency—Prometei is also capable of more nefarious activities.

Loud Entry Into Unloved Systems

The initial stages of a Prometei infection are not particularly sophisticated. For instance, Trend Micro observed a case where the botnet began with failed login attempts from IP addresses linked to known Prometei infrastructure in Cape Town, South Africa. Once it successfully logged into a target machine, the malware began probing for outdated vulnerabilities, including the notorious BlueKeep bug in the Remote Desktop Protocol (RDP) and the EternalBlue vulnerability used for propagation via Server Message Block (SMB).

The choice to exploit such old vulnerabilities may seem lazy, but it is, in fact, a strategic move. As Mayuresh Dani, manager of security research at Qualys, points out, "Prime targets are those systems that have not been or cannot be patched for some reason, which translates to them being either unmonitored or neglected from normal security processes." This approach allows Prometei to target systems that are often overlooked by more proactive organizations.

Prometei’s Fire: Advanced Techniques

Once Prometei infiltrates a system, it employs a range of advanced techniques to maintain its foothold. The botnet utilizes a domain generation algorithm (DGA) to enhance its command-and-control (C2) infrastructure, allowing it to continue operating even if victims attempt to block its domains. Additionally, Prometei can manipulate targeted systems to bypass firewalls and ensure that it runs automatically upon system reboots.

One particularly insidious command within Prometei invokes the WDigest authentication protocol, which stores passwords in plaintext in memory. By forcing the activation of WDigest—typically disabled in modern Windows systems—Prometei can exfiltrate passwords without raising alarms. This capability is further enhanced by configuring Windows Defender to ignore the dynamic link library (DLL) that contains the stolen passwords.

Beyond Cryptojacking: A Web Shell Threat

While cryptojacking is the most apparent goal of a Prometei infection, the botnet also downloads and configures an Apache Web server that serves as a persistent Web shell. This Web shell allows attackers to upload additional malicious files and execute arbitrary commands, significantly expanding the potential for further exploitation.

As Stephen Hilt, senior threat researcher at Trend Micro, notes, "Botnet infections are often associated with other kinds of attacks as well." The presence of cryptomining activities can be a warning sign of deeper issues within a compromised system, as evidenced by previous incidents involving other malware families.

A Selective Target: Avoiding Russian Interests

Interestingly, Prometei exhibits a notable geographical bias. The botnet’s Tor-based C2 server is designed to avoid certain exit nodes in former Soviet countries, indicating a deliberate effort to steer clear of Russian-language targets. Older variants of the malware even contained Russian-language settings, and the name "Prometei" itself is a translation of "Prometheus" in various Slavic languages, evoking the myth of a figure punished for bringing knowledge to humanity.

Conclusion: The Ongoing Battle Against Prometei

Prometei stands as a testament to the resilience and adaptability of cyber threats in today’s interconnected world. Its ability to exploit outdated vulnerabilities and maintain a low profile while executing complex commands makes it a formidable adversary. As organizations continue to grapple with the implications of such persistent threats, the importance of robust cybersecurity practices cannot be overstated. Regular patching, system monitoring, and proactive threat detection are essential in the ongoing battle against botnets like Prometei. The lessons learned from this enduring threat serve as a reminder that in the realm of cybersecurity, vigilance is paramount.

Related articles

Recent articles

Latest news

© 2024 BasicFundas.com [ CYBERSECURITY NEWS UPDATES ] All Rights Reserved.