‘Prometei’ Botnet Continues its Global Cryptojacking Campaign

October 24, 2024

The 'Prometei' botnet, a Russian-language malware, is still active and spreading a cryptojacker and Web shell on machines across several continents. The botnet was first identified in 2020, but there is evidence to suggest that it has been active since at least 2016. Over the years, it has infected more than 10,000 computers worldwide, in countries as diverse as Brazil, Indonesia, Turkey, and Germany. The German Federal Office for Information Security classifies it as a medium-impact threat.

Callie Guenther, senior manager of cyber-threat research at Critical Start, explains that 'Prometei's reach is global due to its focus on widely used software vulnerabilities.' The botnet spreads by exploiting weak configurations and unpatched systems, targeting regions with insufficient cybersecurity practices. It does not discriminate by region but seeks to maximize impact by exploiting systemic weaknesses. Organizations that use unpatched or poorly configured Exchange servers are particularly vulnerable.

An attack by Prometei may not initially be sophisticated, but it becomes stealthy once it has successfully logged into a machine. It tests a variety of outdated vulnerabilities that may still be present in its target's environment. For example, it uses the five-year-old 'BlueKeep' bug in the Remote Desktop Protocol (RDP) to try and achieve remote code execution (RCE). It also uses the older EternalBlue vulnerability to propagate via Server Message Block (SMB). On Windows systems, it tries the three-year-old ProxyLogon arbitrary file write vulnerabilities CVE-2021-27065 and CVE-2021-26858, which have 'high' 7.8 CVSS ratings.

Mayuresh Dani, manager of security research at Qualys, points out that 'Prime targets are those systems that have not been or cannot be patched for some reason, which translates to them being either unmonitored or neglected from normal security processes.' The malware authors target easy pickings, knowing that their targets will likely have multiple security issues.

Once Prometei has infiltrated a system, it uses various methods to achieve its goals. It uses a domain generation algorithm (DGA) to strengthen its command-and-control (C2) infrastructure, allowing it to continue operating even if victims attempt to block one or more of its domains. It manipulates targeted systems to allow its traffic through firewalls and ensures it runs automatically upon system reboots.

The primary purpose of a Prometei infection appears to be cryptojacking, using infected machines to mine the ultra-anonymous Monero cryptocurrency without the owners' knowledge. However, it also downloads and configures an Apache Web server that serves as a persistent Web shell, allowing attackers to upload more malicious files and execute arbitrary commands.

The botnet's Tor-based C2 server is designed to specifically avoid certain exit nodes in some former Soviet countries. To further ensure the safety of Russian-language targets, it has a credential-stealing component that deliberately avoids affecting any accounts labeled 'Guest' or 'Other user' in Russian. Older variants of the malware contained bits of Russian-language settings and language code, and the name 'Prometei' is a translation of 'Prometheus' in various Slavic languages.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.