An 8-year-old modular botnet remains to be kicking, spreading a cryptojacker and Net shell on machines unfold throughout a number of continents.
“Prometei” was first found in 2020, however later proof recommended that it has been within the wild since no less than 2016. In these intervening years it unfold to greater than 10,000 computer systems globally, in international locations as numerous as Brazil, Indonesia, Turkey, and Germany, whose Federal Workplace for Data Safety categorizes it as a medium-impact risk.
“Prometei’s attain is world as a result of its concentrate on broadly used software program vulnerabilities,” explains Callie Guenther, senior supervisor of cyber-threat analysis at Essential Begin. “The botnet spreads via weak configurations and unpatched programs, focusing on areas with insufficient cybersecurity practices. Botnets like Prometei sometimes don’t discriminate by area however search most affect by exploiting systemic weaknesses. [In this case], organizations utilizing unpatched or poorly configured Change servers are significantly in danger.”
Pattern Micro particulars what a Prometei assault appears like: clunky in its preliminary an infection however stealthy thereafter, able to exploiting vulnerabilities in a wide range of totally different providers and programs, and targeted on cryptojacking however able to extra.
Loud Entry Into Unloved Methods
Do not count on an preliminary Prometei an infection to be terribly subtle.
The case Pattern Micro noticed started with plenty of failed community login makes an attempt from two IP addresses showing to come back from Cape City, South Africa, which aligned intently with identified Prometei infrastructure.
After its first profitable login right into a machine, the malware went to work testing out a wide range of outdated vulnerabilities which may nonetheless be lingering in its goal’s setting. For instance, it makes use of the half-decade previous “BlueKeep” bug within the Distant Desktop Protocol (RDP) — rated a “important” 9.8 out of 10 within the Frequent Vulnerability Scoring System — to attempt to obtain distant code execution (RCE). It makes use of the even older EternalBlue vulnerability to propagate by way of Server Message Block (SMB). On Home windows programs, it tries the 3-year-old ProxyLogon arbitrary file write vulnerabilities CVE-2021-27065 and CVE-2021-26858, which have “excessive” 7.8 CVSS scores.
Exploiting such previous vulnerabilities may very well be learn as lazy. In one other mild, it is an efficient method to removing better-equipped programs belonging to extra energetic organizations.
“Prime targets are these programs that haven’t been or can’t be patched for some motive, which interprets to them being both unmonitored or uncared for from regular safety processes,” Mayuresh Dani, supervisor of safety analysis at Qualys, factors out. “The malware authors wish to go after straightforward pickings, and in at present’s linked world, I take into account this clever, as in the event that they know that their targets might be tormented by a number of safety points.”
Prometei’s Hearth
As soon as Prometei will get to the place it needs to go, it has some neat tips for reaching its ends. It makes use of a site era algorithm (DGA) to harden its command-and-control (C2) infrastructure, enabling it to proceed working even when victims attempt blocking a number of of its domains. It manipulates focused programs to permit its visitors via firewalls, and runs itself mechanically upon system reboots.
One significantly helpful Prometei command evokes the WDigest authentication protocol, which shops passwords in plaintext in reminiscence. WDigest is usually disabled in fashionable Home windows programs, so Prometei forces these plaintext passwords, which it then dumps right into a dynamic hyperlink library (DLL). Then, one other Prometei command configures Home windows Defender to disregard that specific DLL, permitting these passwords to be exfiltrated with out elevating any pink flags.
The obvious function of a Prometei an infection seems to be cryptojacking — utilizing contaminated machines to assist mine the ultra-anonymous Monero cryptocurrency with out their house owners’ realizing it. Past that, although, it downloads and configures an Apache Net server that serves as a persistent Net shell. The Net shell permits attackers to add extra malicious recordsdata and execute arbitrary instructions.
As Stephen Hilt, senior risk researcher at Pattern Micro, factors out, botnet infections are sometimes related to different kinds of assaults as properly.
“I all the time take a look at the cryptomining teams being a canary within the coal mine — it is an indicator that there is most likely extra happening in your system,” he says. “Should you take a look at our 2021 weblog, there was LemonDuck, a ransomware group, and [Prometei] all throughout the similar machines.”
Russia Hyperlinks
There may be one particular a part of the globe that Prometei doesn’t contact.
The botnet’s Tor-based C2 server is made to particularly keep away from sure exit nodes in some former Soviet international locations. To additional guarantee the protection of Russian-language targets, it possesses a credential-stealing element that intentionally avoids affecting any accounts labeled “Visitor” or “Different person” in Russian.
Older variants of the malware contained bits of Russian-language settings and language code, and the identify “Prometei” is a translation of “Prometheus” in varied Slavic languages. Within the well-known delusion, Zeus packages an eagle to assault Prometheus’ liver each day, just for the liver to persist via reboots every night time.
