Unpatched Microsoft Exchange servers are being targeted by the Prometei botnet and added to its operators’ army of Monero (XMR) cryptocurrency mining bots.
This malware which can infect both Windows and Linux systems was first spotted last year while using the EternalBlue exploit to spread across compromised networks and exploit vulnerable Windows computers.
Cybereason’s Nocturnus team discovered that the botnet was active for at least past 5 years according to Prometei artifacts submitted to VirusTotal in May 2016.
Cybereason has found new malware samples during recent incident responses and the botnet was found to be updated to exploit Exchange Server vulnerabilities patched by Microsoft in March.
The main goal of Prometei’s attacks on Exchange servers is to deploy the cryptomining payload, make profit and spread to other devices on the network using EternalBlue and BlueKeep exploits, harvested credentials, and SSH or SQL spreader modules.
When the threat actors get control of infected machines, they can mine bitcoin by stealing processing power, and at the same time can also exfiltrate sensitive information.
According to Assaf Dahan, Cybereason senior director and head of threat research, the attackers can also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints.
The malware has been now upgraded with backdoor capabilities with an extensive array of commands. These include downloading and executing files, searching for files on infected systems, and executing programs or commands on behalf of the attackers.
The attackers behind this botnet are not known, but some evidences suggest that they speak Russian, including the name of the botnet, Prometei (Russian for Prometheus), and the Russian code and product name used in older versions.
The botnet operators are likely to be financially motivated and not sponsored by a nation-state.
As seen in the recent Prometei attacks, the threat actors exploited the recently discovered Microsoft Exchange vulnerabilities to penetrate targeted networks.
According to stats shared by Microsoft last month, around 92% of all Internet-connected on-premises Exchange servers affected by these vulnerabilities are now patched and safe from attacks.