The recent Microsoft Exchange Server vulnerabilities might have initially been exploited by a government-backed APT group, but cybercriminals soon followed suit, using them to deliver ransomware and grow their botnet.
One perpetrator of the latter activities is Prometei, a cross-platform (Windows, Linux), modular Monero-mining botnet that seems to have flown under the radar for years.
The attackers’ modus operandi
Cybereason incident responders have witnessed instances of the botnet enslaving endpoints of companies across the globe, in a variety of industries.
“The victimology is quite random and opportunistic rather than highly targeted, which makes it even more dangerous and widespread,” shared Lior Rochberger, senior threat researcher at Cybereason.
One thing that the responders noticed, though, is that the botnet avoids targets in former Soviet bloc countries. For these reasons and others, they believe it is operated by Russian-speaking cybercriminals and not state-sponsored threat actors.
Aside from exploiting CVE-2021-27065 and CVE-2021-26858, two MS Exchange vulnerabilities, the botnet also uses known exploits (EternalBlue and BlueKeep) to leverage old security issues in the SMB and RDP protocols and brute-forces SSH credentials to spread to as many endpoints on the compromised network as possible.
Prometei’s attack sequence
The malware is also adept at remaining hidden from defenders and preventing other potential attackers from using the compromised endpoints.
It uses a variety of persistence techniques and create firewall rules and registry keys to make sure communication with C&C servers can be established. It uses a customized version of Mimikatz to harvest credentials.
It also adds firewall rules to block certain IP addresses used by other (crypto-mining) malware, and uses a module ..