Prometei botnet targets Windows devices.
Cisco Talos’ threat intelligence team published a report revealing startling details of how cybercriminals are continually reinventing the way they can monetize their malicious tools and techniques. Reportedly, Cisco Talos researchers discovered a “complex” new campaign involving a multi-modular cryptojacking botnet named “Prometei.”
The botnet can spread in multiple ways, such as using the Windows Server Message Block protocol (SMB) exploits, stolen credentials, WMI, and PsExec. It contains a payload added specifically to mine for Monero cryptocurrency, while it can also take data from the victim’s device.
See: 17-year-old “wormable” SigRed vulnerability found in Windows servers
Prometei mainly exploits the SMB protocol to move across the targeted system laterally. The infection chain starts with compromising the device’s Windows SMB protocol through exploiting SMB vulnerabilities like EternalBlue or the more recent vulnerability SMBGhost.
It is worth noting that EternalBlue is a cyber-attack exploit developed by the U.S. National Security Agency (NSA). On April 14, 2017, the exploit was stolen and leaked by the Shadow Brokers hacker group. Since then, the exploit has been used in several malware attacks including recently reported Lucifer malware which infects Windows device to launch DDoS attack.
As for Prometei, the botnet uses brute-force and mimikatz attacks to scan, store, and try stolen credentials. The discovered passwords are sent to a C&C server for valid ..
Support the originator by clicking the read the rest link below.
