A new type of cryptocurrency-mining botnet has been silently spreading across networks in recent months has been recently discovered by researchers. The botnet was able to propagate by employing multiple methods, which include exploiting SMB vulnerabilities.
The new cryptojacking botnet was discovered by researchers at the Cisco Talos, according to ZDNet. The researchers added that the malware, which was named Prometei by the researchers, has been infecting networks since March this year.
The Prometei malware’s goal is to enslave as many systems as it can to increase the yield of its clandestine mining activities. According to BleedingCompeter, the cryptojacking botnet is programmed to specifically mine the Monero (XMR) cryptocurrency.
One characteristic that sets the Prometei malware apart is that it uses a modular system as well as a variety of techniques to infect target networks and hide its presence from users. It starts by attempting to compromise a computer’s Windows Server Message Block (SMB) protocol via the block’s vulnerabilities such as Eternal Blue.
The Prometei also has a module designed to steal passwords, a modified version of Mimikatz. Combined with brute-force methods, it will scan, store, and test stolen credentials. Passwords are also sent to the operator’s C2 server so they can be reused by “other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols.”
Another thing that sets Prometei apart from its cryptojacking malware peers is that it also features analysis evasion and anti-detection features. Its maker or makers configured it in such a way that later variants of the bot become more complex compared to their predecessors.
Later versions of the main module spread using various names making it difficult for researchers to detect. “In addition to making manual analysis more difficult, this anti-analysis technique also avoids detection in dynamic automated analysis systems,” Cisco Talos’ Vanja Svajcer wrote.
Researchers were able to detect a total of 15 executable modules from the Prometei botnet, which can be divided into two groups. Those involved in the actual cryptocurrency mining were coded using C++ while the rest, such as modules involved in the abuse of SMB, obfuscation, and credential theft, were based on .NET.
Researchers estimate that the number of infected systems worldwide is in the “low thousands” with average earnings per month at around $1,250. “Although earnings of $1,250 per month doesn't sound like a significant amount compared to some other cybercriminal operations, for a single developer in Eastern Europe, this provides more than the average monthly salary for many countries,” Talos said.
Comment 2