Researchers from Cisco Talos have come across a new multi-modular botnet designed to mine Monero cryptocurrency on infected hosts.
The botnet, dubbed "Prometei", leverages various ways of propagation, such as using Microsoft Windows SMB protocol, stolen credentials, psexec, WMI, and SMB exploits. According to the Talos team, the botnet author is apparently aware of the recent SMBGhost vulnerability, but they did not find any evidence of this flaw being exploited by the botnet.
The botnet's operator also uses several crafted tools that helps the botnet increase the amount of systems involved in its Monero-mining operations.
The infection starts with the main botnet file which is copied from other infected systems by means of SMB, using passwords retrieved by a modified Mimikatz module and exploits such as Eternal Blue. The botnet contains over 15 executable modules, all of them are downloaded and driven by the main module, which communicates with the command and control server. The botnet also tries to recover administrator passwords, and then sends the stolen passwords to its C2 server. These passwords are then reused by other modules that attempt to get access to other systems via SMB and RDP protocols.
According to the report, 15 modules are organized in two main functional branches, which function fairly indepentedly. The first branch is written in C++ and uses a special type of obfuscation to remain hidden from detection systems, whereas the second branch is developed using .NET framework combined with publicly available tools and open-source software, and mainly used for brute-force attacks via SMB and RDP protocols.
"Communication with the C2 server is conducted either directly over HTTP, TOR or I2P proxies. In our analysis, we only managed to find the c:\windows\dell\msdtc.exe file whose main purpose is to proxy requests over TOR to the C2 server, " the researchers explained.
"The main botnet module can function alone as a remote access trojan, but the main purpose of this actor is to mine Monero coins and possibly to steal bitcoin wallets potentially protected by passwords stolen with Mimikatz."
Cisco Talos observed requests for C2 servers coming from various countries, with most requests being sent from infected systems in the US, Brazil, Turkey, Pakistan, Mexico, and Chile.
The research team said the botnet started its mining operation in March, and even the loss of one of its C2 servers in June did not thwart its activities. The botnet continues to make a moderate profit for a single developer, most likely based in Eastern Europe, Talos said.
"The actor behind it is also likely its developer. The TTPs indicate we may be dealing with a professional developer, based on their ability to integrate SMB exploits such as Eternal Blue and authentication code and the use of existing open-source projects, such as Mimikatz and FreeRDP," the team continued.
"Apart from stealing computing power, the botnets behaviour of stealing and validating credentials is worrying. Although we only saw evidence of stolen credentials being used to spread laterally, they also have a value on underground markets and the damage potential of losing important administrative username and password is very high. This is why organisations that detect presence of Prometei botnet on their system should act immediately to remove it and to make sure none of their credentials are leaked to the command and control server."