NEWS SUMMARY
We are used to ransomware attacks and big-game hunting making the headlines, but there are still methods adversaries use to monetize their efforts in less intrusive ways.
Cisco Talos recently discovered a cryptocurrency-mining botnet attack we're calling "Prometei" using several techniques that defenders are likely to spot, but are not immediately obvious to end-users.
These threats demonstrate several techniques of the MITRE ATT&CK framework, most notably T1089 (Disabling Security Tools), T1105 (Remote File Copy), T1027 (Obfuscated Files or Information), T1086 (PowerShell), T1035 (Service Execution), T1036 (Masquerading) and T1090 (Connection Proxy).
Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency. The actor employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits. The adversary also uses several crafted tools that helps the botnet increase the amount of systems participating in its Monero-mining pool.
What's new?
We believe this is the first time that anyone's documented Prometei's operations. The actor ..
Support the originator by clicking the read the rest link below.
