Researchers from Cybereason Nocturnus discovered Prometei malware, which mines Monero cryptocurrency on vulnerable machines.

In early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail server, which the researchers collectively named ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).

These vulnerabilities can be chained together and exploited to allow an attacker to authenticate on the Exchange server, gain administrator rights, install malware and steal data.

In early March 2021, attacks on vulnerable servers were carried out by more than 10 hack groups, deploying web shells, miners and ransomware on the servers.

According to statistics released by Microsoft last month, approximately 92% of all Internet-connected Exchange servers have already received patches.

This modular malware was first detected last year. It is capable of infecting Windows and Linux systems, and has previously used the EternalBlue exploit to spread across compromised networks and compromise vulnerable machines.

Cybereason Nocturnus experts write that Prometei is active at least since 2016 (judging by the samples uploaded to VirusTotal). The botnet was recently updated and “learned” how to exploit ProxyLogon vulnerabilities.

Thus, now Prometei attacks Exchange servers, and then installs payloads for mining on them, and also tries to spread further along the infected network using the EternalBlue and BlueKeep exploits, detected credentials and modules for SSH or SQL.

The updated malware has backdoor capabilities with support for an extensive set of commands, including downloading and executing files, searching for files on infected systems, and executing programs or commands on behalf of the attackers.

Let me remind you that I also talked about the fact that FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners.

The post Prometei botnet attacks vulnerable Microsoft Exchange servers appeared first on Gridinsoft Blog.

The malware mainly attacks users from the USA, Brazil, Pakistan, China, Mexico and Chile. During four months of activity, the botnet operators “earned” about $5,000, that is, an average of about $1,250 per month.

Do you know who else is focused on mining Monero and manipulates a variety of exploits? Lucifer! (don’t be alarmed – this is such malware)

“The malware uses several techniques for distribution, including LOLbins (living off the land) to use legitimate Windows processes to execute malicious code (including PsExec and WMI), SMB exploits (including EternalBlue), and stolen credentials”, – write Cisco Talos experts.

In total, the researchers counted more than 15 ingredients in Prometei. All of them are controlled by the main module, which encrypts (RC4) the data before sending it to the management server via HTTP.

Auxiliary modules can be used to establish communication over Tor or I2P, collect system information, check open ports, spread via SMB, and scan the infected system for any cryptocurrency wallets.

For example, a botnet steals passwords using a modified version of Mimikatz (miwalk.exe), and then passwords are passed to the spreader module (rdpclip.exe) for analysis and authentication via SMB. If that doesn’t work, the EternalBlue exploit is used for propagation.

The final payload delivered to the compromised system is SearchIndexer.exe, which is simply an XMRig version 5.5.3.

However, experts write that Prometei is not just a miner, the malware can also be used as a full-fledged Trojan and info-stealer.

“The botnet is split into two main branches: the C ++ branch is dedicated to cryptocurrency mining operations, and the .NET-based branch focuses on credential theft, SMB attacks and obfuscation. At the same time, the main branch can work independently from the second one, since it can independently communicate with the control server, steal credentials and engage in mining”, – say the researchers.

Cisco Talos experts point out that Prometei is unlike most mining botnets. Its authors not only divided their tools according to their purpose, it also “taught” malware to avoid detection and analysis. In particular, even in earlier versions, you can find several layers of obfuscation, which have become much more difficult in later versions.

The post Prometei botnet uses SMB for distribution appeared first on Gridinsoft Blog.