23 April 2021

Prometei cryptocurrency mining botnet takes advantage of Microsoft Exchange vulnerabilities


Prometei cryptocurrency mining botnet takes advantage of Microsoft Exchange vulnerabilities

Security researchers have warned of a widespread campaign that seeks to propagate Prometei cryptocurrency mining botnet by taking advantage of unpatched Microsoft Exchange servers.

According to Cybereason's Nocturnus team that discovered the operation, threat actors behind the botnet have been leveraging recently disclosed Microsoft Exchange vulnerabilities (CVE-2021-27065 and CVE-2021-26858) to gain access to a network and install malware. The both bugs are part of four Microsoft Exchange zero-days collectively known as ProxyLogon associated with the recent attacks carried out by the Chinese APT Hafnium. Microsoft patched the vulnerabilities in March this year.

Prometei is a modular and multi-stage cryptocurrency botnet that was first spotted in July 2020 and is thought to have been around since 2016. The botnet has both Windows and Linux versions and its main goal is to mine Monero cryptocurrency. This is achieved by using a variety of techniques and tools, ranging from Mimikatz to SMB and RDP exploits.

Botnet targets organizations in finance, insurance, retail, manufacturing, utilities, travel, and construction industries across the U.S., UK, Germany, France, Spain, Italy and many other European countries, as well as countries in South America and East Asia. Believed to be operated by Russian speaking threat actors, the botnet doesn’t target former Soviet bloc countries, the researchers noted.

Cybereason also believes the botnet operators are financially motivated and likely not sponsored by a nation-state.

"When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but can also exfiltrate sensitive information as well," the researchers said.

"If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints."

Last week, the US Department of Justice announced that the FBI has conducted a successful operation in which it removed web shells from hundreds of hacked Microsoft Exchange servers.

Back to the list

Latest Posts

One of the US’ largest pipelines halts operations after a ransomware attack

One of the US’ largest pipelines halts operations after a ransomware attack

The "DarkSide" criminal group is believed to be behind the ransomware attack.
10 May 2021
TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

The attacks were highly targeted and delivered to less than 10 victims around the world, including large diplomatic organizations in South-East Asia and Africa.
10 May 2021
A bio research institute got infected with Ryuk ransomware because of pirated software

A bio research institute got infected with Ryuk ransomware because of pirated software

The student who wouldn’t pay for licensed software unwittingly opened a door to the ransomware.
10 May 2021