An 8-year-old modular botnet is still kicking, spreading a cryptojacker and Web shell on machines spread across multiple continents.
“Prometei” was first discovered in 2020, but later evidence suggested that it’s been in the wild since at least 2016. In those intervening years it spread to more than 10,000 computers globally, in countries as diverse as Brazil, Indonesia, Turkey, and Germany, whose Federal Office for Information Security categorizes it as a medium-impact threat.
“Prometei’s reach is global due to its focus on widely used software vulnerabilities,” explains Callie Guenther, senior manager of cyber-threat research at Critical Start. “The botnet spreads through weak configurations and unpatched systems, targeting regions with inadequate cybersecurity practices. Botnets like Prometei typically do not discriminate by region but seek maximum impact by exploiting systemic weaknesses. [In this case], organizations using unpatched or poorly configured Exchange servers are particularly at risk.”
Trend Micro details what a Prometei attack looks like: clunky in its initial infection but stealthy thereafter, capable of exploiting vulnerabilities in a variety of different services and systems, and focused on cryptojacking but capable of more.
Loud Entry Into Unloved Systems
Don’t expect an initial Prometei infection to be terribly sophisticated.
The case Trend Micro observed began with a number of failed network login attempts from two IP addresses appearing to come from Cape Town, South Africa, which aligned closely with known Prometei infrastructure.
After its first successful login into a machine, the malware went to work testing out a variety of outdated vulnerabilities that might still be lingering in its target’s environment. For example, it uses the half-decade old “BlueKeep” bug in the Remote Desktop Protocol (RDP) — rated a “critical” 9.8 out of 10 in the Common Vulnerability Scoring System — to try and achieve remote code execution (RCE). It uses the even older EternalBlue vulnerability to propagate via Server Message Block (SMB). On Windows systems, it tries the 3-year-old ProxyLogon arbitrary file write vulnerabilities CVE-2021-27065 and CVE-2021-26858, which have “high” 7.8 CVSS ratings.
Exploiting such old vulnerabilities could be read as lazy. In another light, it’s an effective approach to weeding out better-equipped systems belonging to more active organizations.
“Prime targets are those systems that have not been or cannot be patched for some reason, which translates to them being either unmonitored or neglected from normal security processes,” Mayuresh Dani, manager of security research at Qualys, points out. “The malware authors want to go after easy pickings, and in today’s connected world, I consider this intelligent, as if they know that their targets will be plagued by multiple security issues.”
Prometei’s Fire
Once Prometei gets to where it wants to go, it has some neat tricks for achieving its ends. It uses a domain generation algorithm (DGA) to harden its command-and-control (C2) infrastructure, enabling it to continue operating even if victims try blocking one or more of its domains. It manipulates targeted systems to allow its traffic through firewalls, and runs itself automatically upon system reboots.
One particularly useful Prometei command evokes the WDigest authentication protocol, which stores passwords in plaintext in memory. WDigest is typically disabled in modern Windows systems, so Prometei forces those plaintext passwords, which it then dumps into a dynamic link library (DLL). Then, another Prometei command configures Windows Defender to ignore that particular DLL, allowing those passwords to be exfiltrated without raising any red flags.
The most obvious purpose of a Prometei infection appears to be cryptojacking — using infected machines to help mine the ultra-anonymous Monero cryptocurrency without their owners’ knowing it. Beyond that, though, it downloads and configures an Apache Web server that serves as a persistent Web shell. The Web shell allows attackers to upload more malicious files and execute arbitrary commands.
As Stephen Hilt, senior threat researcher at Trend Micro, points out, botnet infections are often associated with other kinds of attacks as well.
“I always look at the cryptomining groups being a canary in the coal mine — it’s an indicator that there’s probably more going on in your system,” he says. “If you look at our 2021 blog, there was LemonDuck, a ransomware group, and [Prometei] all within the same machines.”
Russia Links
There is one specific part of the globe that Prometei does not touch.
The botnet’s Tor-based C2 server is made to specifically avoid certain exit nodes in some former Soviet countries. To further ensure the safety of Russian-language targets, it possesses a credential-stealing component that deliberately avoids affecting any accounts labeled “Guest” or “Other user” in Russian.
Older variants of the malware contained bits of Russian-language settings and language code, and the name “Prometei” is a translation of “Prometheus” in various Slavic languages. In the famous myth, Zeus programs an eagle to attack Prometheus’ liver every day, only for the liver to persist through reboots each night.