Show vulnerabilities with patch / with exploit
23 July 2020

New Prometei botnet uses Windows SMB to mine cryptocurrency


New Prometei botnet uses Windows SMB to mine cryptocurrency

Researchers from Cisco Talos have come across a new multi-modular botnet designed to mine Monero cryptocurrency on infected hosts.

The botnet, dubbed "Prometei", leverages various ways of propagation, such as using Microsoft Windows SMB protocol, stolen credentials, psexec, WMI, and SMB exploits. According to the Talos team, the botnet author is apparently aware of the recent SMBGhost vulnerability, but they did not find any evidence of this flaw being exploited by the botnet.

The botnet's operator also uses several crafted tools that helps the botnet increase the amount of systems involved in its Monero-mining operations.

The infection starts with the main botnet file which is copied from other infected systems by means of SMB, using passwords retrieved by a modified Mimikatz module and exploits such as Eternal Blue. The botnet contains over 15 executable modules, all of them are downloaded and driven by the main module, which communicates with the command and control server. The botnet also tries to recover administrator passwords, and then sends the stolen passwords to its C2 server. These passwords are then reused by other modules that attempt to get access to other systems via SMB and RDP protocols.

According to the report, 15 modules are organized in two main functional branches, which function fairly indepentedly. The first branch is written in C++ and uses a special type of obfuscation to remain hidden from detection systems, whereas the second branch is developed using .NET framework combined with publicly available tools and open-source software, and mainly used for brute-force attacks via SMB and RDP protocols.

"Communication with the C2 server is conducted either directly over HTTP, TOR or I2P proxies. In our analysis, we only managed to find the c:\windows\dell\msdtc.exe file whose main purpose is to proxy requests over TOR to the C2 server, " the researchers explained.

"The main botnet module can function alone as a remote access trojan, but the main purpose of this actor is to mine Monero coins and possibly to steal bitcoin wallets potentially protected by passwords stolen with Mimikatz."

Cisco Talos observed requests for C2 servers coming from various countries, with most requests being sent from infected systems in the US, Brazil, Turkey, Pakistan, Mexico, and Chile.

The research team said the botnet started its mining operation in March, and even the loss of one of its C2 servers in June did not thwart its activities. The botnet continues to make a moderate profit for a single developer, most likely based in Eastern Europe, Talos said.

"The actor behind it is also likely its developer. The TTPs indicate we may be dealing with a professional developer, based on their ability to integrate SMB exploits such as Eternal Blue and authentication code and the use of existing open-source projects, such as Mimikatz and FreeRDP," the team continued.

"Apart from stealing computing power, the botnets behaviour of stealing and validating credentials is worrying. Although we only saw evidence of stolen credentials being used to spread laterally, they also have a value on underground markets and the damage potential of losing important administrative username and password is very high. This is why organisations that detect presence of Prometei botnet on their system should act immediately to remove it and to make sure none of their credentials are leaked to the command and control server."

Back to the list

Latest Posts

Vulnerabilities in Gmail and iCloud allow hiding the sender

Vulnerabilities in Gmail and iCloud allow hiding the sender

Manipulating email header fields allows for various types of attacks to deceive the addressee.
6 August 2020
Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Oilrig members have added a new DNSExfiltrator utility to their hacking arsenal.
5 August 2020
Hacker published passwords for over 900 corporate VPN servers

Hacker published passwords for over 900 corporate VPN servers

The list was published on a Russian-speaking hacker forum frequented by different ransomware operators.
5 August 2020