Researchers from Cisco Talos have come across a new multi-modular botnet designed to mine Monero cryptocurrency on infected hosts.
The botnet, dubbed "Prometei", leverages various ways of propagation, such as using Microsoft Windows SMB protocol, stolen credentials, psexec, WMI, and SMB exploits. According to the Talos team, the botnet author is apparently aware of the recent SMBGhost vulnerability, but they did not find any evidence of this flaw being exploited by the botnet.
The botnet's operator also uses several crafted tools that helps the botnet increase the amount of systems involved in its Monero-mining operations.
The infection starts with the main botnet file which is copied from other infected systems by means of SMB, using passwords retrieved by a modified Mimikatz module and exploits such as Eternal Blue. The botnet contains over 15 executable modules, all of them are downloaded and driven by the main module, which communicates with the command and control server. The botnet also tries to recover administrator passwords, and then sends the stolen passwords to its C2 server. These passwords are then reused by other modules that attempt to get access to other systems via SMB and RDP protocols.
According to the report, 15 modules are organized in two main functional branches, which function fairly indepentedly. The first branch is written in C++ and uses a special type of obfuscation to remain hidden from detection systems, whereas the second branch is developed using .NET framework combined with publicly available tools and open-source software, and mainly used for brute-force attacks via SMB and RDP protocols.
"Communication with the C2 server is conducted either directly over HTTP, TOR or I2P ..
Support the originator by clicking the read the rest link below.
