Cybereason Discovers Global Botnet Campaign Leveraging Microsoft Exchange Vulnerabilities

Share Article

The Prometei Botnet impacts many industries globally; Victims are random, making the cryptomining botnet more dangerous and widespread

“The Prometei Botnet poses a big risk for companies because when the attackers take control of infected machines, they are capable of mining bitcoin by stealing processing power and also exfiltrating sensitive information,” said Assaf Dahan, senior director and head of threat research, Cybereason.

Cybereason, the leader in future-ready attack protection, today announced the discovery of a widespread, global campaign seeking to propagate the stealthy Prometei Botnet, by targeting organizations with a multi-stage attack to steal processing power to mine bitcoin. The threat actors, who appear to be Russian speakers, are taking advantage of previously disclosed Microsoft Exchange vulnerabilities leveraged in the Hafnium attacks to penetrate networks.

Prometei has a complex infrastructure designed to ensure persistence on infected machines. While Prometei was first reported on in July 2020, Cybereason assesses that the botnet actually dates back to at least 2016, a year before the now infamous WannaCry and NotPetya malware attacks that affected more than 200 countries and caused billions in damages. Prometei continues to evolve with new features and tools regularly observed.

“The Prometei Botnet poses a big risk for companies because it has been under-reported. When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but can also exfiltrate sensitive information as well. If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints. And to make matters worse, cryptomining drains valuable network computing power, negatively impacting business operations and the performance and stability of critical servers,” said Assaf Dahan, senior director and head of threat research, Cybereason.

Key findings from the research, include:

  • Wide range of Victims: Victims have been observed across a variety of industries, including: Finance, Insurance, Retail, Manufacturing, Utilities, Travel and Construction. Infected companies are based in countries around the world, including the United States, United Kingdom, Germany, France, Spain, Italy and other European countries, South America and East Asia.
  • Russian Speaking Threat Actor: The threat actor appears to be Russian speaking and is purposely avoiding infections in former Soviet bloc countries.
  • Exploiting SMB and RDP Vulnerabilities: The main objective of Prometei is to install the Monero crypto miner on corporate endpoints. To spread across networks, the threat actor is using known Microsoft Exchange vulnerabilities, in addition to known exploits EternalBlue and BlueKeep.
  • Cross-Platform Threat: Prometei has both Windows based and Linux-Unix based versions, and it adjusts its payload based on the detected operating system on the targeted machines when spreading across the network.
  • Cybercrime with APT Flavor: Cybereason assesses that the Prometei Botnet operators are financially motivated and intent on generating hefty sums of bitcoin, but is likely not backed by a nation-state.
  • Resilient C2 Infrastructure: Prometei is designed to interact with four different C2 servers which strengthens the botnet’s infrastructure and maintains continuous communications, making it more resistant to takedowns.

Recommendations to organizations on containing the Microsoft Exchange vulnerability include continuously hunting in the environment for threats and strong patch management policies to ensure that all patches are regularly installed. In addition, critical network assets should be hardened, multi-factor authentication should be used, and endpoint detection and response tools should be installed.

About Cybereason
Cybereason is the champion for today’s cyber defenders providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere. Cybereason is a privately held, international company headquartered in Boston with customers in more than 30 countries.

Learn more:
Follow us: Blog | Twitter | Facebook

Media contact:
Bill Keeler
Senior Director, Global Public Relations
+1 (929) 259-3261

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Bill Keeler
Visit website