Cybereason finds cryptocurrency botnet exploiting MS Exchange vulnerabilities

Assaf Dahan, senior director, head of threat research, Cybereason.
Assaf Dahan, Senior Director, Head of Threat Research, Cybereason.
4 years ago

Cybereason, the leader in future-ready attack protection, has announced the discovery of a new, highly targeted botnet campaign, using the stealthy, pervasive, Prometei Botnet, to target companies around the world with a multi-pronged attack that looks to steal bitcoin and data from corporate networks. The threat actor, a Russian speaker, is taking advantage of Microsoft Exchange vulnerabilities to penetrate random networks. This threat has likely resulted in steep financial and data losses for companies.

Prometei has a diverse infrastructure designed to ensure it stays alive with infected machines being part of the botnet. Over the years, different Prometei C2 servers were taken down by authorities, and the attackers worked around it. While Prometei was first reported on in July 2020, Cybereason believes it dates back to at least 2016, a year before the now infamous WannaCry and NotPetya malware attacks that affected more than 200 countries and caused billions in damages. Prometei continues to evolve with new features and tools regularly observed.

“The Prometei Botnet poses a big risk for companies because it has been under reported. When the attackers take control of infected machines, they are not only capable of stealing bitcoin, but sensitive information as well. If they desire to do so, the attackers can also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints. And to make matters worse, cryptomining drains network computing power, impacting business continuity and the performance and stability of critical servers” said Assaf Dahan, senior director, head of threat research, Cybereason.

Key findings from the research, include:

  • Wide range of Victims: Victims have been observed across a variety of industries, including: Finance, Insurance, Retail, Manufacturing, Utilities, Travel and Construction. Infected companies are based in countries around the world, including the United States, United Kingdom, Germany, France, Spain, Italy and other European countries, South America and East Asia.
  • Russian Speaking Threat Actor: The threat actor appears to be Russian speaking and is purposely avoiding infections in former Soviet bloc countries.
  • Exploiting SMB and RDP Vulnerabilities: The main objective of Prometei is to install the Monero crypto miner on corporate endpoints. To spread across networks, the threat actor is using known Microsoft Exchange vulnerabilities, in addition to known exploits EternalBlue and BlueKeep.
  • Cross-Platform Threat: Prometei has both Windows based and Linux-Unix based versions, and it adjusts it’s payload based on the detected operating system, on the targeted infected machines when spreading across the network.
  • Cybercrime with APT Flavor: Cybereason believes the Prometei Botnet operator is financially-motivated and hoping to earn hefty sums of bitcoin but is not backed by a nation-state.
  • Resilient C2 Infrastructure: Prometei is built to interact with four different command and control (C2) servers which strengthens the botnet’s infrastructure and maintains continuous communications, making it more resistant to takedowns.

Don't Miss

Greg Day, VP Europe Middle East and Africa, Field CISO, Cybereason.

Shift to SaaS fragments identity management

The big shift to SaaS has fragmented more than a decade’s worth
Greg Day, Vice President and Global Field CISO EMEA, Cybereason.

The answer lies in detection efficacy

Over the years I have seen hundreds of company’s trials and deploy