Prometei botnet exploits Windows SMB to mine for cryptocurrency

The new botnet has been quietly operating since March.

Ransomware: Phorpiex botnet surges in activity

A new botnet has been spotted in the wild which exploits the Microsoft Windows SMB protocol to move laterally across systems while covertly mining for cryptocurrency. 

In a report shared with ZDNet, on Wednesday, Cisco Talos explained that the Prometei malware has been making the rounds since March 2020. 

The new botnet is considered noteworthy as it uses an extensive modular system and a variety of techniques to compromise systems and hide its presence from end users in order to mine for Monero (XMR). 

Prometei's infection chain begins with the attempted compromise of a machine's Windows Server Message Block (SMB) protocol via SMB vulnerabilities including Eternal Blue

Mimikatz and brute-force attacks are used to scan for, store, and try out stolen credentials, and any passwords discovered are sent to the operator's command-and-control (C2) server for reuse by "other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols," according to the researchers. 

See also: Twitter hack: Coinbase blocks $280,000 in Bitcoin theft

In total, the botnet has over 15 executable modules that are controlled by one main module. The botnet is organized into two main function branches: one C++ branch dedicated to cryptocurrency mining operations, and one -- based on .NET -- which focuses on credential theft, the abuse of SMB, and obfuscation.

The main branch, however, can operate independently from the second as it contains functionality for communicating with a C2, credential theft, and mining. 

Auxiliary modules have also been bolted-on which can be used by the malware to communicate over TOR or I2P networks, to gather system information, check for open ports, to spread across SMB, and to scan for the existence of any cryptocurrency wallets.

CNET: China aims to dominate the biggest technologies in our lives

Once a system has been compromised and added to the slave network, the attacker is able to perform a variety of tasks, including executing programs and commands, launching command shells, setting RC4 encryption keys for communication, opening, downloading, and stealing files, and launching cryptocurrency mining operations, among other functions. 

Based on Talos' examination of the mining module, it appears that current numbers of Prometei-infected systems are in the "low thousands." The botnet has only been operating for four months and so earnings are not high at present, generating only $1,250 per month on average.

Prometei C2 requests have been detected from countries including the US, Brazil, Turkey, China, and Mexico. 

TechRepublic: Phishing attacks hiding in Google Cloud to steal Microsoft account credentials

One of the operator's C2 servers was seized in June, but this does not seem to have had any material impact on the Prometei operation. 

"Although earnings of $1,250 per month doesn't sound like a significant amount compared to some other cybercriminal operations, for a single developer in Eastern Europe, this provides more than the average monthly salary for many countries," Talos says. "Perhaps that is why, if we look at the embedded paths to program database files in many botnet components, we see a reference to the folder c:\Work."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0