An 8-year-old modular botnet remains to be kicking, spreading a cryptojacker and Net shell on machines unfold throughout a number of continents.
“Prometei” was first found in 2020, however later proof urged that it has been within the wild since at the least 2016. In these intervening years it unfold to greater than 10,000 computer systems globally, in nations as various as Brazil, Indonesia, Turkey, and Germany, whose Federal Workplace for Info Safety categorizes it as a medium-impact menace.
“Prometei’s attain is international as a result of its give attention to broadly used software program vulnerabilities,” explains Callie Guenther, senior supervisor of cyber-threat analysis at Important Begin. “The botnet spreads by means of weak configurations and unpatched methods, focusing on areas with insufficient cybersecurity practices. Botnets like Prometei sometimes don’t discriminate by area however search most influence by exploiting systemic weaknesses. [In this case], organizations utilizing unpatched or poorly configured Trade servers are notably in danger.”
Development Micro particulars what a Prometei assault seems like: clunky in its preliminary an infection however stealthy thereafter, able to exploiting vulnerabilities in a wide range of totally different providers and methods, and targeted on cryptojacking however able to extra.
Loud Entry Into Unloved Techniques
Do not count on an preliminary Prometei an infection to be terribly refined.
The case Development Micro noticed started with a lot of failed community login makes an attempt from two IP addresses showing to return from Cape City, South Africa, which aligned carefully with recognized Prometei infrastructure.
After its first profitable login right into a machine, the malware went to work testing out a wide range of outdated vulnerabilities which may nonetheless be lingering in its goal’s setting. For instance, it makes use of the half-decade outdated “BlueKeep” bug within the Distant Desktop Protocol (RDP) — rated a “important” 9.8 out of 10 within the Frequent Vulnerability Scoring System — to try to obtain distant code execution (RCE). It makes use of the even older EternalBlue vulnerability to propagate by way of Server Message Block (SMB). On Home windows methods, it tries the 3-year-old ProxyLogon arbitrary file write vulnerabilities CVE-2021-27065 and CVE-2021-26858, which have “excessive” 7.8 CVSS rankings.
Exploiting such outdated vulnerabilities could possibly be learn as lazy. In one other gentle, it is an efficient strategy to hunting down better-equipped methods belonging to extra energetic organizations.
“Prime targets are these methods that haven’t been or can’t be patched for some purpose, which interprets to them being both unmonitored or uncared for from regular safety processes,” Mayuresh Dani, supervisor of safety analysis at Qualys, factors out. “The malware authors wish to go after straightforward pickings, and in right this moment’s linked world, I take into account this clever, as in the event that they know that their targets might be stricken by a number of safety points.”
Prometei’s Hearth
As soon as Prometei will get to the place it desires to go, it has some neat tips for attaining its ends. It makes use of a website technology algorithm (DGA) to harden its command-and-control (C2) infrastructure, enabling it to proceed working even when victims strive blocking a number of of its domains. It manipulates focused methods to permit its visitors by means of firewalls, and runs itself mechanically upon system reboots.
One notably helpful Prometei command evokes the WDigest authentication protocol, which shops passwords in plaintext in reminiscence. WDigest is often disabled in trendy Home windows methods, so Prometei forces these plaintext passwords, which it then dumps right into a dynamic hyperlink library (DLL). Then, one other Prometei command configures Home windows Defender to disregard that exact DLL, permitting these passwords to be exfiltrated with out elevating any pink flags.
The obvious objective of a Prometei an infection seems to be cryptojacking — utilizing contaminated machines to assist mine the ultra-anonymous Monero cryptocurrency with out their house owners’ realizing it. Past that, although, it downloads and configures an Apache Net server that serves as a persistent Net shell. The Net shell permits attackers to add extra malicious information and execute arbitrary instructions.
As Stephen Hilt, senior menace researcher at Development Micro, factors out, botnet infections are sometimes related to different kinds of assaults as effectively.
“I at all times take a look at the cryptomining teams being a canary within the coal mine — it is an indicator that there is in all probability extra occurring in your system,” he says. “If you happen to take a look at our 2021 weblog, there was LemonDuck, a ransomware group, and [Prometei] all throughout the similar machines.”
Russia Hyperlinks
There’s one particular a part of the globe that Prometei doesn’t contact.
The botnet’s Tor-based C2 server is made to particularly keep away from sure exit nodes in some former Soviet nations. To additional guarantee the security of Russian-language targets, it possesses a credential-stealing part that intentionally avoids affecting any accounts labeled “Visitor” or “Different person” in Russian.
Older variants of the malware contained bits of Russian-language settings and language code, and the title “Prometei” is a translation of “Prometheus” in varied Slavic languages. Within the well-known fable, Zeus applications an eagle to assault Prometheus’ liver daily, just for the liver to persist by means of reboots every evening.