Experts from the Cybereason Nocturnus Team have investigated multiple incidents involving the Prometei Botnet. The attackers hit companies in North America and threat actors exploited the ProxyLogon Microsoft Exchange flaws (CVE-2021-27065 and CVE-2021-26858) to deliver malware in their networks. Attackers are exploiting the ProxyLogon flaws in Microsoft Exchange to recruit machines in a cryptocurrency botnet tracked as Prometei.
The Prometei botnet appears to be active at least since March 2020, but it was first observed by Cisco Talos experts in July 2020. A deep investigation of artifacts uploaded on VirusTotal allowed the experts to determine that the botnet may have been active at least since May 2016. Experts pointed out that the malware has constantly been updated by its creators with the implementation of new modules and features.
The crypto-mining botnet has a modular structure and employs multiple techniques to infect systems and evade detection.
“Prometei exploits the recently disclosed Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate the network for malware deployment, credential harvesting and more.” reads the analysis published by Cybereason. “The victimology is quite random and opportunistic rather than highly targeted, which makes it even more dangerous and widespread. Prometei has been observed to be active in systems across a variety of industries, including: Finance, Insurance, Retail, Manufacturing, Utilities, Travel, and Construction.”
Experts observed that the crooks behind this botnet explicitly avoid infecting targets in former Soviet bloc countries.
Prometei targets both Windows-based and Linux-Unix-based delivering the appropriate payload based on the operating system. In order to make the botnet resilient to C2 takeover, the bot is able to interact with four different command-and-control (C2) servers.
In the incidents investigated by Cyberreason, threat actors exploit the CVE-2021-27065 and CVE-2021-26858 flaws to deploy the China Chopper web shell to gain persistent access to the network. Then the threat actor launched PowerShell to download the initial Prometei payload from a remote server.
The PowerShell downloads a payload from a remote server that start of the Prometei botnet execution launching the main bot module (Zsvc.exe) which prepares the ground” for the other modules:
The bot supports a broad range of commands, experts also observed a module called “Microsoft Exchange Defender” that masquerades as a legitimate Microsoft product, which is used to remove other competing web shells.
Due to the modular structure, the malware will continue to evolve, and threat actors behind the botnet will implement new features to improve evasion capabilities and allow to infect a large number of devices as possible.
“The different components work together to enable the malware to perform many tasks: credential harvesting, spreading across the network, establishing C2 communications and more. The malware authors are able to add more modules and expand their capabilities easily, and potentially even shift to another payload objective, more destructive than just mining Monero.” concludes the report.
“Threat actors in the cybercrime community continue to adopt APT-like techniques and improve efficiency of their operations. As observed in the recent Prometei attacks, the threat actors rode the wave of the recently discovered Microsoft Exchange vulnerabilities and exploited them in order to penetrate targeted networks. This threat poses a great risk for organizations, since the attackers have absolute control over the infected machines, and if they wish so, they can steal information, infect the endpoints with other malware or even collaborate with ransomware gangs by selling the access to the infected endpoints.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Prometei)