13 March 2023

Prometei botnet malware updated with new capabilities to complicate forensic analysis


Prometei botnet malware updated with new capabilities to complicate forensic analysis

A new version of a botnet malware called “Prometei” has been spotted that comes with the improved infrastructure components and capabilities that allow to automate processes and make forensic analysis more difficult.

First observed in 2016, Prometei is a modular botnet with worm-like capabilities that steals credentials and deploys the Monero cryptocurrency miner.

According to a new report from Cisco’s Talos threat research team, Prometei has infected more than 10,000 victims worldwide since November 2022, with a majority of the victims reported in Brazil, Indonesia, and Turkey.

“Talos observed Prometei’s cryptocurrency mining and credential theft activity to be financially motivated and geographically indiscriminate. Its infections are likely opportunistic, targeting vulnerable entities in all regions and industry verticals to support a higher yield of harvested credentials and mining of the Monero cryptocurrency,” the researchers said.

Interestingly, the new version of the malware is designed to avoid attacking Russia, suggesting that the bot’s targeting may have been influenced by the war in Ukraine.

“Prior to Russia’s invasion of Ukraine, the actor avoided targeting Russia and many of its border states, whereas now, they only avoid targeting Russia. This may indicate a desire to limit the infection of and/or communication to any Russian hosts by the botnet’s author, and that previously excluded border states are now fair game,” Cisco Talos noted.

An analysis of the botnet’s execution chain revealed that the Prometei operators have made modifications that automate component and infrastructure updating, complicate defenders’ analysis, and further entrench the actor on victim machines. The execution chain and subsequent actions performed by the botnet were initiated by a malicious PowerShell command that downloaded the primary listening and execution module (sqhost.exe).

The researchers also observed previously undocumented functionality, including an alternative C&C domain generating algorithm (DGA), a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell that’s deployed onto victim hosts, improving the overall technical capabilities of the botnet.

Back to the list

Latest Posts

Global police op shuts down major DDoS platforms

Global police op shuts down major DDoS platforms

As part of the effort, three suspected administrators were arrested in France and Germany.
11 December 2024
US authorities charge Chinese hacker for exploiting zero-day bug in Sophos firewalls

US authorities charge Chinese hacker for exploiting zero-day bug in Sophos firewalls

The US Department of State offered a reward of up to $10 million for information leading to the hacker's capture.
11 December 2024
Microsoft’s December 2024 Patch Tuesday fixes over 70 flaws, one actively exploited

Microsoft’s December 2024 Patch Tuesday fixes over 70 flaws, one actively exploited

0Day affects the CLFS Driver and can be abused by a local user for code execution with SYSTEM privileges.
11 December 2024