From Brute Force to Cryptojacking with Prometei Botnet
From Brute Force to Cryptojacking with Prometei Botnet
The Prometei botnet, active since at least 2016, has been linked to operations focused on cryptocurrency mining and credential theft. Findings reported by Trend Micro contextualize the threat, noting that by "early 2023, it had compromised over 10,000 systems globally, with significant activity in Brazil, Indonesia, and Turkey." The threat actors use a domain generation algorithm (DGA) for command-and-control (C&C) infrastructure and employ self-updating features for evasion. They gain access to systems by exploiting vulnerabilities such as BlueKeep (CVE-2019-0708) and Microsoft Exchange vulnerabilities (CVE-2021-27065 and CVE-2021-26858). Trend Micro's analysis suggests that the threat actors are Russian-speaking individuals, as indicated by linguistic traces found in earlier versions of the malware.
Analyzing the attack chain and initial access, when not using exploits to drop web shells or PowerShell scripts, can involve brute-force attempts. Telemetry from Trend Micro revealed failed login events from two specific IP addresses. Once access was obtained, attackers exploited Remote Desktop Protocol (RDP) and Server Message Block (SMB). After gaining access, they dropped several executables (.exe) and dynamic link library (.dll) files into directories such as "C:\Windows\dell" and "C:\Windows". A key binary, "sqhost.exe," was responsible for downloading additional malware from command-and-control (C&C) servers. This process continued under its original name or was renamed to "C:\Windows\zsvc.exe". Various commands executed by this process included creating firewall rules with 'netsh' to allow inbound traffic for "sqhost.exe", starting a service named "UPlugPlay", and adding registry entries via "reg.exe" to ensure persistence.
Among the registry modification activity, attackers used "reg.exe" to tamper with the WDigest authentication protocol, forcing credentials to be stored in clear text. Additional system modifications were made using the PowerShell cmdlet "Add-MpPreference" to create exclusions for the 'C:\Windows\dell' and 'C:\Windows' directories. For lateral movement, the attackers used WMI Provider Host (wmiprvse.exe) and PowerShell scripts to execute base64-encoded commands across the network. Prometei also leveraged SSH connections to external IPs for further exploitation.
Prometei's operators deployed the XMRig cryptocurrency miner with a specific command targeting Monero mining pools. The command “-o stratum+tcp” connects the miner to the mining pool using the Stratum protocol. The “--donate-level 1” flag sets a donation level of 1%, “-p x” specifies the default password, and “-u id” assigns the miner an identifier for tracking purposes. This setup allows Prometei to mine Monero, exploiting the compromised system's resources for cryptojacking operations.