An 8-year-old modular botnet known as “Prometei” continues to wreak havoc across multiple continents by spreading a cryptojacker and Web shell on vulnerable machines. First discovered in 2020, evidence suggests that this botnet has been active in the wild since at least 2016, infecting over 10,000 computers globally in countries such as Brazil, Indonesia, Turkey, and Germany, where it is categorized as a medium-impact threat by the Federal Office for Information Security.
According to Callie Guenther, senior manager of cyber-threat research at Critical Start, Prometei’s global reach is enabled by its exploitation of widely used software vulnerabilities. The botnet targets regions with poor cybersecurity practices, spreading through unpatched systems and weak configurations. Organizations that use unpatched or poorly configured Exchange servers are particularly at risk from this type of botnet attack.
Trend Micro has provided insights into the mechanics of a Prometei attack, describing it as initially clunky but stealthy once established. The botnet can exploit a variety of vulnerabilities in different services and systems, focusing on cryptojacking but also capable of more malicious activities.
An initial Prometei infection may seem unsophisticated, with failed network login attempts from specific IP addresses serving as a precursor to successful infiltration. The malware then targets outdated vulnerabilities such as BlueKeep, EternalBlue, and ProxyLogon to gain remote code execution and propagate through systems. While exploiting old vulnerabilities may seem lazy, it effectively targets systems that have not been adequately secured.
Mayuresh Dani, manager of security research at Qualys, noted that Prometei aims to exploit systems that have been neglected or cannot be patched, taking advantage of multiple security vulnerabilities. By targeting systems with known weaknesses, the botnet operators can maximize their impact and compromise vulnerable machines more easily.
Once Prometei gains access to a system, it deploys various tactics to maintain persistence and achieve its objectives. The botnet uses a domain generation algorithm to evade detection and manipulation of targeted systems to bypass firewalls. It leverages the WDigest authentication protocol to extract plaintext passwords and exfiltrate sensitive information without detection.
The primary goal of a Prometei infection is cryptojacking, where infected machines are used to mine cryptocurrency without the owners’ knowledge. Additionally, the botnet installs a Web shell on compromised systems, allowing attackers to execute arbitrary commands and upload malicious files. Botnet infections like Prometei often indicate broader security issues within an organization, as highlighted by Stephen Hilt, senior threat researcher at Trend Micro.
Prometei exhibits a unique behavior by avoiding certain parts of the globe, specifically former Soviet countries, through its Tor-based C2 infrastructure. The botnet also steers clear of affecting Russian-language targets by excluding accounts labeled “Guest” or “Other user” in Russian. The presence of Russian-language settings and references to “Prometheus” in Slavic languages hint at potential links or origins related to Russia.
In conclusion, the ongoing activity of Prometei highlights the persistent threat posed by botnets and the importance of maintaining robust cybersecurity practices to mitigate such risks. Organizations must remain vigilant against evolving threats like Prometei and take proactive measures to secure their systems against potential attacks.