Mischievous Prometei and Its Hunt for Monero
Recently, on Wednesday, July 22, Cisco Talos discovered a cryptocurrency-mining botnet attack which they’re calling “Prometei” is suspected to be secretly active since the beginning of March. The adversary behind the botnet employs a myriad of TTPs in order to spread across the environment like abusing the Server Message Block (SMB) protocol to steal credentials, EternalBlue exploit, PSExec, and Windows Management Instrumentation (WMI). Cisco Talos also claims that this is the first time that anyone’s documented Prometei’s operations.
Insights
Cisco Talos: a threat intelligence organization at the center of the Cisco Security portfolio.
Every other day, we hear about the ransomware attacks and other dark-sided cyber jargons making the headlines among which botnet has also occupied its place for its less-intrusive behavior. Adversaries are still using these network of bots (shortened for “robots”) to monetize their efforts with ease.
Talos explains Prometei as a complex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by covertly mining the Monero (XMR) online currency.
The actor employs a myriad of techniques to spread across the network, like SMB with stolen credentials, PSExec, WMI, and SMB exploits. These techniques help the botnet to fly under the radar of end-users, though the strategies themselves might be obvious to a defender.
Also, several crafted tools have been used that help the botnet increase the number of systems participating in its Monero-mining pool. Some of the weapons under Prometei’s arsenal are Mimikatz (miwalk.exe), Tor module, and open port scanner.
Prometei’s Anatomy
In total, the botnet packs over 15 executable modules that are controlled by one main module. The botnet is organized into two main function branches — one C++ branch dedicated to cryptocurrency mining operations, and another based on .NET — which focuses on credential theft, the abuse of SMB, and obfuscation.
What makes it more interesting is that the main branch (Rdpcl1p branch) can operate independently from the second, as it contains functionality for communicating with a C2 (Command & Control), credential theft, and mining. All modules of the main botnet branch are compiled as 64-bit applications, although some 32-bit variants are also reported to be found.
Different types of auxiliary modules have also been bolted-on which can be used by the malware to communicate over TOR / I2P networks, to gather system information, check for open ports, to spread across SMB, and to crawl the file systems in search for file names given as the argument to the module, typically Bitcoin cryptocurrency wallets.
“The second branch main module nvsync.exe, which communicates with its own C2, contains some indication that its purpose is cryptocurrency mining, but we have not found evidence of that.” Talos Intelligence group predicts.
How It’s Spreading
Prometei’s infection chain begins with the attempted compromise of a machine’s Windows Server Message Block (SMB) protocol via SMB vulnerabilities including Eternal Blue. After successful penetration, more than 15 executable modules are downloaded by the main module from the C2 server over HTTP.
Mimikatz and brute-force attacks are used to scan for, store, and try out stolen credentials, and any passwords discovered are sent to the operator’s command-and-control (C2) server for reuse by “other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols,” according to the researchers.
Once a system has been compromised and added to the slave network, the attacker is able to perform a variety of tasks, including executing programs and commands, launching command shells, setting RC4 encryption keys for communication, opening, downloading, and stealing files, and launching cryptocurrency mining operations, among other functions.
Based on Talos’ examination of the mining module, it appears that current numbers of Prometei-infected systems are in the “low thousands.” The botnet has only been operating for four months and so earnings are not high at present, generating only $1,250 per month on average.
Prometei C2 requests have been detected from countries including the US, Brazil, Turkey, China, and Mexico.
Purportedly, the attack suffered a blow in June due to a takeover of one of its command and control (C2) servers.
But this takeover didn’t stop its mining capabilities or the validation of stolen credentials. The botnet continues to make a moderate profit for a single developer, most likely based in Eastern Europe.
“Although earnings of $1,250 per month don’t sound like a significant amount compared to some other cybercriminal operations, for a single developer in Eastern Europe, this provides more than the average monthly salary for many countries,” Talos says.
With the indications of the Monero mining calculator available on Cryptocompare.com, the stats obtained is presented as shown.
The actor behind it is also likely its developer. The TTPs indicate we may be dealing with a professional developer, based on their ability to integrate SMB exploits such as Eternal Blue and authentication code and the use of existing open-source projects, such as Mimikatz and FreeRDP.
Conclusion
Though continuous monitoring and logging, some malware successfully fly under detection teams’ radar, possibly due to their small size or constant advancements on the adversary’s part. A model example of such malware is Prometei whose main focus in Monero-mining.
This botnet was come across by investigating telemetry information coming to Talos from Cisco AMP for Endpoints’ install base. The detection was possible because of the regular hunting sessions by Threat Intelligence Team to find new malware that may be running under the radar.
What makes us more worrying is that it is not just a generic miner (computing-power thief), rather it can be operated as a normal Trojan or info-stealing malware. Threat actors behind the botnet are evolving rapidly, thus adding new modules to enhance the functionality of the botnet.
Although we only saw evidence of stolen credentials being used for lateral escalation, they also have a value on underground markets and the damage potential of losing important administrative username and password is very high. This is why organizations that detect the presence of Prometei botnet on their system should act immediately to remove it and to make sure none of their credentials are leaked to the command and control server.
Defenders need to be constantly vigilant and monitor the behavior of systems within their network. Attackers are like water — they will attempt to find the smallest crack to seep in. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure.
Founder of cybersecnerds.com. Electronics Engineer by profession, Security Engineer by passion.
I am a Linux Enthusiast and highly interested in the offensive side of the CyberSec industry. You will find me reading InfoSec blogs most of the time.