A new cryptojacking botnet was discovered that spreads across compromised networks through various methods which include the EternalBlue exploit for Windows Server Message Block (SMB) communication protocol.
The main aim of the attackers is to mine for Monero (XMR) cryptocurrency and exploit as many systems as possible for making huge profit.
The new botnet has been named Prometei by the researchers at Cisco Talos and it was found to be active since at least March. They stated that the attacks are a complex campaign that depends on multi-modular malware.
In order to move through the computers on the network, the actor combines living-off-the-land binaries (LoLBins) like PsExec and WMI, SMB exploits, and stolen credentials.
More than 15 components were found in Prometei attacks, all managed by the main module, which encrypts (RC4) data before sending it to the command and control (C2) server via HTTP.
Prometei also tries to recover administrator passwords which are then sent to C2 to be reused by other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols.
The researchers found that its modules belong to two categories having different purposes: mining-related operations (dropping the miner, spreading on the network) and gaining access by brute-forcing logins using SMB and RDP.
According to Cisco Talos malware researcher Vanja Svajcer, the distinct functions and programming language (C++ and .NET) for these modules may indicate that another party is taking advantage of this botnet which might suggest that a single actor is controlling all of them.
Prometei steals passwords with a modified version of Mimikatz (miwalk.exe). These pass to the spreader module (rdpclip.exe) for parsing and authentication over an SMB session. If the credentials fail, the spreader launches a variant of the EternalBlue exploit for distributing and launching the main module (svchost.exe).
The last payload delivered on a compromised system is SearchIndexer.exe, which is version 5.5.3 of the XMRig open-source Monero mining software.
Prometei also has anti-detection and analysis evasion attributes in it. It can communicate with the C2 server using TOR or I2P proxies, to get instructions and send out stolen data.
The main module can also act as a remote access trojan, even though the main functionality is Monero mining and possibly stealing Bitcoin wallets.
The botnet affected victims from United States, Brazil, Pakistan, China, Mexico, and Chile. The threat actors managed to make a profit of $5,000 in just four months.
Image Credit : ZDNet