Prometei: Yet Another Malware Weaponizing Proxylogon Vulnerabilities

Prometei: Yet Another Malware Weaponizing Proxylogon Vulnerabilities

The exploitation of ProxyLogon vulnerabilities in Microsoft Exchange servers has exploded to an extent that threat actors are modifying their attacks to distribute a variety of malware. The latest in a row to weaponize these vulnerabilities is a botnet dubbed Prometei.

What’s happening?

Recently, the Cybereason Nocturnus Team responded to several incidents involving infections from the Prometei botnet against companies in North America.
The attackers exploited two of the ProxyLogon vulnerabilities (CVE-2021-27065 and CVE-2021-26858) to penetrate into the network and install the China Chopper webshell that ultimately would download the botnet.
Prometei is a modular and multi-stage cryptocurrency botnet that targets both Windows and Linux versions.
However, the variant used in the recent attack was found to provide the attackers with a stealthy and sophisticated backdoor that supported a wide range of tasks, along with harvesting credentials.

Key findings

The victimology of the botnet ranges across multiple sectors, including finance, insurance, retail, manufacturing, utilities, travel, and construction.
It has been observed infecting networks in the U.S., the U.K, and several other European, South American, and East Asian countries.

Abuse of ProxyLogon - A matter of concern

On March 2, the world was introduced to four critical zero-day vulnerabilities impacting multiple versions of Microsoft Exchange Servers.
Despite the release of patches, the vulnerabilities, collectively dubbed ProxyLogon, attracted a number of malware attacks from multiple threat actor groups.
Some of the notable malware observed in the exploitation include DearCry ransomware, Black Kingdom ransomware, and XMR-Stak Miner.

Support the originator by clicking the read the rest link below.