An 8-year-old modular botnet continues to be kicking, spreading a cryptojacker and Internet shell on machines unfold throughout a number of continents.
“Prometei” was first found in 2020, however later proof instructed that it has been within the wild since not less than 2016. In these intervening years it unfold to greater than 10,000 computer systems globally, in international locations as various as Brazil, Indonesia, Turkey, and Germany, whose Federal Workplace for Data Safety categorizes it as a medium-impact menace.
“Prometei’s attain is international as a consequence of its give attention to broadly used software program vulnerabilities,” explains Callie Guenther, senior supervisor of cyber-threat analysis at Important Begin. “The botnet spreads by way of weak configurations and unpatched programs, concentrating on areas with insufficient cybersecurity practices. Botnets like Prometei usually don’t discriminate by area however search most impression by exploiting systemic weaknesses. [In this case], organizations utilizing unpatched or poorly configured Trade servers are significantly in danger.”
Development Micro particulars what a Prometei assault seems to be like: clunky in its preliminary an infection however stealthy thereafter, able to exploiting vulnerabilities in a wide range of completely different providers and programs, and centered on cryptojacking however able to extra.
Loud Entry Into Unloved Programs
Do not anticipate an preliminary Prometei an infection to be terribly subtle.
The case Development Micro noticed started with numerous failed community login makes an attempt from two IP addresses showing to return from Cape City, South Africa, which aligned intently with identified Prometei infrastructure.
After its first profitable login right into a machine, the malware went to work testing out a wide range of outdated vulnerabilities that may nonetheless be lingering in its goal’s setting. For instance, it makes use of the half-decade previous “BlueKeep” bug within the Distant Desktop Protocol (RDP) — rated a “crucial” 9.8 out of 10 within the Widespread Vulnerability Scoring System — to try to obtain distant code execution (RCE). It makes use of the even older EternalBlue vulnerability to propagate by way of Server Message Block (SMB). On Home windows programs, it tries the 3-year-old ProxyLogon arbitrary file write vulnerabilities CVE-2021-27065 and CVE-2021-26858, which have “excessive” 7.8 CVSS rankings.
Exploiting such previous vulnerabilities might be learn as lazy. In one other gentle, it is an efficient strategy to hunting down better-equipped programs belonging to extra lively organizations.
“Prime targets are these programs that haven’t been or can’t be patched for some purpose, which interprets to them being both unmonitored or uncared for from regular safety processes,” Mayuresh Dani, supervisor of safety analysis at Qualys, factors out. “The malware authors wish to go after simple pickings, and in at present’s linked world, I contemplate this clever, as in the event that they know that their targets shall be affected by a number of safety points.”
Prometei’s Hearth
As soon as Prometei will get to the place it desires to go, it has some neat methods for reaching its ends. It makes use of a site technology algorithm (DGA) to harden its command-and-control (C2) infrastructure, enabling it to proceed working even when victims attempt blocking a number of of its domains. It manipulates focused programs to permit its site visitors by way of firewalls, and runs itself mechanically upon system reboots.
One significantly helpful Prometei command evokes the WDigest authentication protocol, which shops passwords in plaintext in reminiscence. WDigest is usually disabled in fashionable Home windows programs, so Prometei forces these plaintext passwords, which it then dumps right into a dynamic hyperlink library (DLL). Then, one other Prometei command configures Home windows Defender to disregard that specific DLL, permitting these passwords to be exfiltrated with out elevating any pink flags.
The obvious objective of a Prometei an infection seems to be cryptojacking — utilizing contaminated machines to assist mine the ultra-anonymous Monero cryptocurrency with out their house owners’ understanding it. Past that, although, it downloads and configures an Apache Internet server that serves as a persistent Internet shell. The Internet shell permits attackers to add extra malicious information and execute arbitrary instructions.
As Stephen Hilt, senior menace researcher at Development Micro, factors out, botnet infections are sometimes related to different kinds of assaults as nicely.
“I at all times have a look at the cryptomining teams being a canary within the coal mine — it is an indicator that there is most likely extra occurring in your system,” he says. “If you happen to have a look at our 2021 weblog, there was LemonDuck, a ransomware group, and [Prometei] all throughout the similar machines.”
Russia Hyperlinks
There’s one particular a part of the globe that Prometei doesn’t contact.
The botnet’s Tor-based C2 server is made to particularly keep away from sure exit nodes in some former Soviet international locations. To additional guarantee the protection of Russian-language targets, it possesses a credential-stealing part that intentionally avoids affecting any accounts labeled “Visitor” or “Different consumer” in Russian.
Older variants of the malware contained bits of Russian-language settings and language code, and the identify “Prometei” is a translation of “Prometheus” in numerous Slavic languages. Within the well-known delusion, Zeus applications an eagle to assault Prometheus’ liver day by day, just for the liver to persist by way of reboots every evening.
