A new cryptocurrency-mining botnet assault named Prometei bypasses detection methods and monetizes its strategies in much less intrusive means.
It is the to start with time that anyone’s documented the a multi-modular botnet, in accordance to Talos, which found out the botnet and dubbed it “Prometei.” The botnet, which has been lively given that March, spreads a payload to provide economic rewards for the attackers by mining Monero for a one developer – also the actor – most likely in Jap Europe.
Talos in a new report said defenders are possible to place the botnet, but the an infection possible won’t be noticeable to conclusion-buyers. The discovery resulted from Talos investigating telemetry info it received from Cisco AMP for Endpoints’ put in foundation.
Immediately after researching its pursuits over the earlier two months, Talos believes the actor has applied various strategies to distribute Prometei by means of a network to acquire qualifications and Windows Administration Instrumentation (WMI) and Server Information Block (SMB) exploits. The adversary also employs numerous crafted resources that assist the botnet increase the amount of units collaborating in its Monero-mining pool.
The an infection begins with the primary botnet file, which is copied from other contaminated methods by signifies of SMB, working with passwords retrieved by a modified Mimikatz module and exploits this sort of as Eternal Blue.
Talos reported the botnet seems to be informed of newest SMB vulnerabilities, these as SMBGhost, but it did not discover evidence of that exploit becoming used. Prometei has a lot more than 15 executable modules that all get downloaded and pushed by the main module, which continually communicates with the command and handle (C2) server around HTTP.
The botnet makes use of techniques of the MITRE ATT&CK framework, most notably T1089 (Disabling Security Equipment), T1105 (Remote File Duplicate), T1027 (Obfuscated Documents or Facts), T1086 (PowerShell), T1035 (Provider Execution), T1036 (Masquerading) and T1090 (Link Proxy).