Security experts from Cisco Talos discovered a new crypto-mining botnet, tracked as Prometei, that exploits the Microsoft Windows SMB protocol for lateral movements.
The Prometei botnet appears to be active at least since March 2020, it has a modular structure and employes multiple techniques to infect systems and evade the detection.
“Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency. The actor employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits.” reads the analysis published by Cisco Talos. “The adversary also uses several crafted tools that helps the botnet increase the amount of systems participating in its Monero-mining pool.”
The attack chain starts with the main botnet file attempting to compromise a machine’s Windows Server Message Block (SMB) protocol exploiting SMB vulnerabilities such as Eternal Blue.
The Prometei botnet has more than 15 executable modules that are downloaded by the main module from the C2 server over HTTP.
The botnet used a modified version of Mimikatz to steal credentials and any other passwords of the compromised network, then send them back to the C2 for reuse. The C2 share the passwords with other modules that attempt to verify their validity on other systems using SMB and RDP protocols.
The botnet has two main function branches, a C++ branch tasked of cryptocurrency mining operations and a .NET branch that abuse of SMB to steal credentials.
Experts pointed out that the C++ branch can operate independently from the second one, it implements both functionalities for credential stealing and mining. The branch in C++ implements a special type of obfuscation to evade the detection and the analysis in dynamic automated analysis systems.
The main branch also has auxiliary modules that allow the Prometei botnet to communicate through TOR or I2P networks, to collect information about processes running on the system, check of open ports on target systems and to crawl the file systems in search for file names given as the argument to the module. This latest function is typically used to search for Bitcoin cryptocurrency wallets.
The bot supports various commands, including executing programs and commands, launching command shells, opening, downloading, and stealing files, setting RC4 encryption keys for communication, and managing cryptocurrency mining operations.
According to Talos researchers, the current number of infected hosts is in the low thousands, its operators only generated $1,250 per month on average.
Most of the Prometei bots are in the US, Brazil, Turkey, China, Mexico and Chile.
“Although earnings of $1,250 per month doesn’t sound like a significant amount compared to some other cybercriminal operations, for a single developer in Eastern Europe, this provides more than the average monthly salary for many countries,” Talos concludes. “Perhaps that is why, if we look at the embedded paths to program database files in many botnet components, we see a reference to the folder c:\Work.”
(SecurityAffairs – hacking, Prometei botnet)