March 25, 2023

Mar 10, 2023Ravie LakshmananEndpoint Safety / Hacking

Prometei Botnet

An up to date model of a botnet malware known as Prometei has contaminated greater than 10,000 programs worldwide since November 2022.

The infections are each geographically indiscriminate and opportunistic, with a majority of the victims reported in Brazil, Indonesia, and Turkey.

Prometei, first noticed in 2016, is a modular botnet that options a big repertoire of parts and a number of other proliferation strategies, a few of which additionally embrace the exploitation of ProxyLogon Microsoft Change Server flaws.

It is also notable for avoiding placing Russia, suggesting that the risk actors behind the operation are doubtless primarily based within the nation.

The cross-platform botnet’s motivations are monetary, primarily leveraging its pool of contaminated hosts to mine cryptocurrency and harvest credentials.

The most recent variant of Prometei (known as v3) improves upon its current options to problem forensic evaluation and additional burrow its entry on sufferer machines, Cisco Talos said in a report shared with The Hacker Information.

Prometei Botnet

The assault sequence proceeds thus: Upon gaining a profitable foothold, a PowerShell command is executed to obtain the botnet payload from a distant server. Prometei’s predominant module is then used to retrieve the precise crypto-mining payload and different auxiliary parts on the system.

A few of these assist modules perform as spreader packages designed to propagate the malware by means of Distant Desktop Protocol (RDP), Safe Shell (SSH), and Server Message Block (SMB).


Uncover the Hidden Risks of Third-Celebration SaaS Apps

Are you conscious of the dangers related to third-party app entry to your organization’s SaaS apps? Be part of our webinar to be taught in regards to the forms of permissions being granted and the way to decrease danger.


Prometei v3 can also be noteworthy for utilizing a website technology algorithm (DGA) to construct out its command-and-control (C2) infrastructure. It additional packs in a self-update mechanism and an expanded set of instructions to reap delicate information and commandeer the host.

Final however not least, the malware deploys an Apache net server that is bundled with a PHP-based net shell, which is able to executing Base64-encoded instructions and finishing up file uploads.

“This latest addition of recent capabilities [indicates] that the Prometei operators are constantly updating the botnet and including performance,” Talos researchers Andrew Windsor and Vanja Svajcer mentioned.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.