The recent Microsoft Exchange Server vulnerabilities may need initially been exploited by a government-backed APT group, however cybercriminals quickly adopted go well with, utilizing them to ship ransomware and develop their botnet.
One perpetrator of the latter actions is Prometei, a cross-platform (Home windows, Linux), modular Monero-mining botnet that appears to have flown beneath the radar for years.
The attackers’ modus operandi
Cybereason incident responders have witnessed situations of the botnet enslaving endpoints of corporations throughout the globe, in a wide range of industries.
“The victimology is kind of random and opportunistic relatively than extremely focused, which makes it much more harmful and widespread,” shared Lior Rochberger, senior menace researcher at Cybereason.
One factor that the responders seen, although, is that the botnet avoids targets in former Soviet bloc nations. For these causes and others, they consider it’s operated by Russian-speaking cybercriminals and never state-sponsored menace actors.
Apart from exploiting CVE-2021-27065 and CVE-2021-26858, two MS Alternate vulnerabilities, the botnet additionally makes use of identified exploits (EternalBlue and BlueKeep) to leverage outdated safety points within the SMB and RDP protocols and brute-forces SSH credentials to unfold to as many endpoints on the compromised community as doable.
Prometei’s assault sequence
The malware can also be adept at remaining hidden from defenders and stopping different potential attackers from utilizing the compromised endpoints.
It makes use of a wide range of persistence methods and create firewall guidelines and registry keys to ensure communication with C&C servers might be established. It makes use of a personalized model of Mimikatz to reap credentials.
It additionally provides firewall guidelines to dam sure IP addresses utilized by different (crypto-mining) malware, and makes use of a module that masquerades as a legit Microsoft endpoint safety program to consistently test a listing usually used to host net shells.
“The malware is particularly within the file ‘ExpiredPasswords.aspx’, which was reported to be the identify used to obscure the HyperShell backdoor utilized by APT34 (aka. OilRig). If the file exists, the malware instantly deletes it,” Rochberger explained.
“Our evaluation is that this instrument is used to ‘defend’ the compromised Alternate Server by deleting potential WebShells so Prometei will stay the one malware utilizing its sources.”
An outdated menace?
Prometei was first found and documented by Cisco Talos researchers in 2020, however Cybereason researchers discovered proof that it’d date again so far as 2016 and has been evolving ever since, including new modules and methods to its capabilities.
“Throughout our investigation, we discovered completely different elements of the outdated infrastructure that at the moment are sinkholed, taken down,” Assaf Dahan, Senior Director, Head of Menace Analysis, Cybereason, advised Assist Web Safety.
“Between 2019-early 2020, the operators of Prometei made some important modifications to the botnet, which included utilizing 4 completely different C2 servers embedded within the code – in an try and make the botnet extra resilient to takedowns. We assess that the most recent surge of compromises associated to Prometei is one other try and additional construct the botnet and develop their operation.”