Prometei Botnet

Prometei is a modular worm used in targeted attacks against Windows Server and Linux-based systems. Written in C++ and .NET, it attempts to enrol devices into a botnet to then be used to mine a variety of cryptocurrencies including Bitcoin and Monero.

Threat ID:: CC-3577
Category:: Botnet, Cryptocurrency, Worm
Threat Severity:: Medium
Threat Vector:: Exploit, Insecure network
Published:: 28 July 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: all

Microsoft Windows

Versions: most popular distributions

Linux

The following platforms are also known to be affected:

Internet-of-Things devices

Threat details

Introduction

First observed in March 2020, Prometei (also known as Prometheus) is a modular worm and botnet targeting exposed Windows servers and Linux-based systems globally. Devices enrolled into Prometei's botnet are then used to mine a number of cryptocurrencies.

Delivery

Prometei's operators gain access to new target networks using a combination of RDP and SMB exploits, including EternalBlue, as well as stolen credentials. If successful, they then use PsExec and WMI to download and install Prometei.

There is also evidence Prometei's operators are attempting incorporating SMBGhost and SMBleed exploits. However, at the time of publication, no exploits for these vulnerabilities have been observed in Prometei's attack chain.

Activities

Once present on a network, Prometei will deploy a number of modules to perform anti-analysis and security checks before connecting to a command and control (C2) server over HTTP, Tor, or I2P. It then downloads and executes a number of cryptocurrency mining tools using mining pools provided by the C2 server. Prometei can also act as a backdoor for other payloads, although this behaviour has not been observed in any campaign as of yet.

Prometei will also attempt to propagate to systems on the network using the same set of exploits used to gain initial access. A modified version of the Mimikatz credential stealer is also used to obtain SMB or RDP account details which can then be used for lateral movement.

Interestingly, Prometei's module are constructed differently based on their purpose, with all mining operations written in C++, whilst propagation and credential harvesting functions are .NET based. This suggests Prometei may be a combination of a number of underlying tools from disparate creators.

Threat updates

Date	Update
29 Apr 2021	Prometei now exploiting Microsoft Exchange ProxyLogon vulnerabilities Exploiting ProxyLogon vulnerabilities (CVE-2021-27065 and CVE-2021-26858), Prometei has been installing the China Chopper web shell to gain backdoor access into Microsoft Exchange servers. From there, PowerShell is used to download the Prometei payload. Once installed, Prometei invokes a module fraudulently named “Microsoft Exchange Defender”, which removes other existing malware web shells on the Microsoft Exchange server so that it gets better access to mine cryptocurrency.

Date

Update

29 Apr 2021

Prometei now exploiting Microsoft Exchange ProxyLogon vulnerabilities

Exploiting ProxyLogon vulnerabilities (CVE-2021-27065 and CVE-2021-26858), Prometei has been installing the China Chopper web shell to gain backdoor access into Microsoft Exchange servers. From there, PowerShell is used to download the Prometei payload.

Once installed, Prometei invokes a module fraudulently named “Microsoft Exchange Defender”, which removes other existing malware web shells on the Microsoft Exchange server so that it gets better access to mine cryptocurrency.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

URLs

103[.]11[.]244[.]221/crawler[.]php
103[.]11[.]244[.]221/lR[.]php
208[.]66[.]132[.]3:8080/_agent[.]7z
208[.]66[.]132[.]3:8080/7z[.]dll
208[.]66[.]132[.]3:8080/7z[.]exe
208[.]66[.]132[.]3:8080/chk445[.]php
208[.]66[.]132[.]3:8080/Desktop[.]txt
208[.]66[.]132[.]3:8080/dllr0[.]php
208[.]66[.]132[.]3:8080/srchindx2[.]php
208[.]66[.]132[.]3:8080/zlib[.]php
208[.]66[.]132[.]3:8080/ztasklist[.]php
211[.]23[.]16[.]239/prometheus[.]php
69[.]28[.]95[.]50:180/miwalk[.]txt
69[.]28[.]95[.]50:180/walker14364[.]php
69[.]84[.]240[.]57:180/lR[.]php
69[.]84[.]240[.]57:180/miwalk[.]txt
69[.]84[.]240[.]57:180/walker14364[.]php
bk1[.]bitspiritfun2[.]net/cgi-bin/prometei[.]cgi
gb7ni5rgeexdcncj[.]onion/cgi-bin/prometei[.]cgi
p1[.]feefreepool[.]net/cgi-bin/prometei[.]cgi

Host indicators

Filenames

chk445.exe
crawler.exe
miwalk.exe
msdtc.exe
nvstub.exe
nvsync2.exe
nvsync4.exe
ps.exe
rdpcIip.exe
SearchIndexer.exe
SearchIndexer.exe
smcard.exe
socks.exe
svchost1.exe
svchost2.exe
svchost64bitearlier.exe
tor-gencert.exe
zsvc.exe
ztasklist.exe

SHA256 hashes

02e1852066ad61bddf98943cb8e3091d6e23d75bf24340809e8212aedfd6e450
0970037be8f90c3b2b718858a032e77916969113823895e268c7693dddba1181
0c821863e8fd8e493d90004f734055f91b8f43d3b905a38dc983443146f48602
0d6ca238faf7911912b84086f7bdad3cd6a54db53677a69722de65982a43ee09
0dd1d869b3c7ce4af03ce4db6172b84d66c3779b48493d7e504de9d350195c5b
0ed9ac4238a4b5aadcd845e4dcd786ce2ee265a6b1a50e8b9019cceb6c013de5
1946c56c261d86dd78f087cb6452a0cc58895c7bcb7c73a8023ee6c9d5a5c2eb
1df6e9705e9ffb3d2c4f1d9ca49f1e27c4bcac13dba75eac9c41c3785a8ca4b1
236120868431f1fe3637623a8a4cbda6bbfdd71c4e55a1dff76efa0381274623
24554a4eed764023d6e5e4990729308ee80ce0f3437ab4af6ad0ebff64512516
3574734ad6416ca584c4c0211156fb24107e9b983e6542199736530e4a4effcd
382c3e80eadd7ca7b224ebe1fe656555fb15227face38fbea40ae4a9515ecb80
4ec815b28fe30f61a282c1943885fa81c6e0e98413f5e7f3f89ec6810f3b62a3
50c5a74fd34ae16557e077e4116b823d049ac735e0ec31328851b385b4891523
54967e106bb2acfd5b4e69fc385c1c20d5af3bdc79b629a9e3ddb3a2375f0bc1
559d65f11e9143dfb093cabc6a1430438643922035765a445276abd80c15ce4b
57cb49a5406b0ed9c81907940fda8cd534116e19a7821ad3061b209f46675f2d
58d210b47abba83c54951f3c08a91d8091beae300c412316089b5506bd330adc
601a1269ca0d274e518848c35a2399115000f099df149673b9dbc3cd77928d40
61428b3d336636bfef0e7fe1783f9b2d62182c06d3928ec4b9b7201170e24fb6
6935e6a303d3dff35079ae3ec78fd85b7bd4ff3ee2458b82cbfa548d7972c6d7
76110b87e46eb61f492d680a2b34662040bb9c25c947a599536cdaf5170fe581
7c71fb85b94fb4ff06bbaf81d388d97f6e828428ee9f638525d4f6e488e71190
7f78ddc27b22559df5c50fd1e5d0957369aadd1557a239aaf4643d51d54c4f94
7f7f474d054ffc638b72f8bdd34e31315a8c72846d15479f86919569fea5b5fc
89d5e5d51e9bb0cee8708adc5dd3e961410b6a55963f020a5930ed93aa68c0eb
8b7b40c0f59bbe4c76521b32cc4e344033c5730ccb9de28cfba966d8c26ca3ef
8ca679d542904a89d677cb3fd7db309364f2214f6dc5e89099081835bec4e440
923201672a41f93fb43dae22f30f7d2d170c0b80e534c592e796bd8ad95654ea
94d066b7d2d8b95d6da525f61c19a7bbdec5afdb033dfe2712dd51d5073b1db2
994d20fee2bd05e67c688e101f747a5d17b0352a838af818ad357c8c7a34a766
9a5c109426480c7283f6f659cb863be81bd46301548d2754baf8b38e9e88828d
9e86d18d5761493e11fe95d166c433331d00e4f1bf3f3b23a07b95d449987b78
a02b532cc9dc257009d7f49382746d9d0bce331a665f4a4c12ae6fc2917df745
a122eeeac51784d54ddf159749b4e657ad821037237c07540fb2ff25a67b1210
a1c05973ac397fe81b2e553aecc322c794dc5977928e7b56cf1c8a62f68afdf0
a303bc8d4011183780344329445bc6dfbb8417f534f304c956e4f86468d620d5
a7ad84e8f5deb1d2e32dd84f3294404a5f7f739215bdd90d7d37d74ee8a05409
ae078c49adba413a10a38a7dcfc20359808bc2724453f6df03a517b622cbca0e
b0500636927b2ddb1e26a21fbf19a8c1fc47a260062976ddbef60fd47c21dc6e
b65aef379e3173ca32b83fd0c54483c2090966910fdda3145af97b5dbff85427-
c08f291510cd4eccaacff5e04f0eca55b97d15c60b72b204eae1fc0c8d652f48
d363dc2aafdf0d9366b5848fc780edfa6888418750e2a61148436908ea3f5433
d3dc9cdb106902471ee95016440b855806e8e5dd0f313864e46126fd3ecfe4fe
dc2fee73b41d488a1cccd905ecc9030e66ff7c7e5dcf60fc580406c6f8090854
e0a181318eb881d481d2e4830289ed128006269ace890139f054cf050351500a
ea2174993892789f0c1081152c31b3b3fef79c6a5016840ea72321229c7fe128
ecd4c12ef01028c3f544c0f7c871c6d6f256997f1b7be4c8fdbb0f8572012444
eeb1a574da0836a4ac34132d96fd442d7c5827e607389ef1dfebeb419a09dae7
efaa199e64bd4132a4bf783c37bbc20fefb6ea45ff60ea68f4a4214bf8ab1268
f09679bae1388033b17196f92430678e7b15816648f380bb4de3dd25009011b7
f555431a09ae975ac0e8f138ce4eaf44cd8a3460e3bb7ba44b0101cd3a5b1157
f6eddbabc1d6b05d2bc27077bcb55ff640c5cf8b09a18fc51ed160a851f8be58
fe0a5d851a9dd2ba7d1b0818f59363f752fc7343bdfc306969280ade54b2f017

Last edited: 29 April 2021 3:34 pm