An updated version of the botnet malware called Prometheus has infected over 10,000 systems worldwide since November 2022.
Transmission is geographically indiscriminate and opportunistic, with the majority of victims reported in Brazil, Indonesia, and Turkey.
First seen in 2016, Prometei is a modular botnet with many components and several propagation methods, including one that exploits the ProxyLogon flaw in Microsoft Exchange Server.
It is also worth noting that it avoided attacking Russia. This suggests that the attackers behind the operation are likely based in Russia.
Cross-platform botnets are financially motivated, primarily leveraging pools of infected hosts to mine cryptocurrency and collect credentials.
The latest variant of Prometei (referred to as v3) improves on existing functionality to challenge forensic analysis and dig deeper into its access to the victim’s machine, Cisco Talos. Said In a report shared with The Hacker News.
The attack sequence proceeds as follows. Once a successful foothold is obtained, a PowerShell command is executed to download botnet malware from a remote server. Prometei’s main module is then used to retrieve the actual cryptocurrency mining payload and other ancillary components on the system.
Some of these support modules are the Remote Desktop Protocol (RDP), Secure Shell (SSH), and Server Message Block (SMB).
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
Prometei v3 is a domain generation algorithm (DGAMore) to build a command and control (C2) infrastructure. Additionally, it incorporates a self-updating mechanism and an extended set of commands to gather sensitive data and expropriate hosts.
Finally, the malware deploys an Apache web server bundled with a PHP-based web shell. This web shell can execute Base64 encoded commands and perform file uploads.
Talos said:
