March 10, 2023Rabbi Lakshmananendpoint security / hacking

An updated version of the botnet malware called Prometheus has infected over 10,000 systems worldwide since November 2022.

Transmission is geographically indiscriminate and opportunistic, with the majority of victims reported in Brazil, Indonesia, and Turkey.

First seen in 2016, Prometei is a modular botnet with many components and several propagation methods, including one that exploits the ProxyLogon flaw in Microsoft Exchange Server.

It is also worth noting that it avoided attacking Russia. This suggests that the attackers behind the operation are likely based in Russia.

Cross-platform botnets are financially motivated, primarily leveraging pools of infected hosts to mine cryptocurrency and collect credentials.

The latest variant of Prometei (referred to as v3) improves on existing functionality to challenge forensic analysis and dig deeper into its access to the victim’s machine, Cisco Talos. Said In a report shared with The Hacker News.

Prometei botnet

The attack sequence proceeds as follows. Once a successful foothold is obtained, a PowerShell command is executed to download botnet malware from a remote server. Prometei’s main module is then used to retrieve the actual cryptocurrency mining payload and other ancillary components on the system.

Some of these support modules are the Remote Desktop Protocol (RDP), Secure Shell (SSH), and Server Message Block (SMB).


Discover the hidden dangers of third-party SaaS apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.

reserve a seat

Prometei v3 is a domain generation algorithm (DGAMore) to build a command and control (C2) infrastructure. Additionally, it incorporates a self-updating mechanism and an extended set of commands to gather sensitive data and expropriate hosts.

Finally, the malware deploys an Apache web server bundled with a PHP-based web shell. This web shell can execute Base64 encoded commands and perform file uploads.

Talos said:

Did you find this article interesting?Please follow us twitter and LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog