The recent Microsoft Exchange Server vulnerabilities may need initially been exploited by a government-backed APT group, however cybercriminals quickly adopted go well with, utilizing them to ship ransomware and develop their botnet.
One perpetrator of the latter actions is Prometei, a cross-platform (Home windows, Linux), modular Monero-mining botnet that appears to have flown beneath the radar for years.
The attackers’ modus operandi
Cybereason incident responders have witnessed situations of the botnet enslaving endpoints of firms throughout the globe, in quite a lot of industries.
“The victimology is sort of random and opportunistic moderately than extremely focused, which makes it much more harmful and widespread,” shared Lior Rochberger, senior risk researcher at Cybereason.
One factor that the responders observed, although, is that the botnet avoids targets in former Soviet bloc international locations. For these causes and others, they consider it’s operated by Russian-speaking cybercriminals and never state-sponsored risk actors.
Apart from exploiting CVE-2021-27065 and CVE-2021-26858, two MS Change vulnerabilities, the botnet additionally makes use of recognized exploits (EternalBlue and BlueKeep) to leverage previous safety points within the SMB and RDP protocols and brute-forces SSH credentials to unfold to as many endpoints on the compromised community as doable.
Prometei’s assault sequence
The malware can be adept at remaining hidden from defenders and stopping different potential attackers from utilizing the compromised endpoints.
It makes use of quite a lot of persistence methods and create firewall guidelines and registry keys to verify communication with C&C servers could be established. It makes use of a custom-made model of Mimikatz to reap credentials.
It additionally provides firewall guidelines to dam sure IP addresses utilized by different (crypto-mining) malware, and makes use of a module that masquerades as a legit Microsoft endpoint safety program to always test a listing typically used to host net shells.
“The malware is particularly within the file ‘ExpiredPasswords.aspx’, which was reported to be the title used to obscure the HyperShell backdoor utilized by APT34 (aka. OilRig). If the file exists, the malware instantly deletes it,” Rochberger explained.
“Our evaluation is that this device is used to ‘shield’ the compromised Change Server by deleting potential WebShells so Prometei will stay the one malware utilizing its sources.”
An previous risk?
Prometei was first found and documented by Cisco Talos researchers in 2020, however Cybereason researchers discovered proof that it would date again so far as 2016 and has been evolving ever since, including new modules and methods to its capabilities.
“Throughout our investigation, we discovered totally different parts of the previous infrastructure that at the moment are sinkholed, taken down,” Assaf Dahan, Senior Director, Head of Risk Analysis, Cybereason, instructed Assist Web Safety.
“Between 2019-early 2020, the operators of Prometei made some important adjustments to the botnet, which included utilizing 4 totally different C2 servers embedded within the code – in an try to make the botnet extra resilient to takedowns. We assess that the newest surge of compromises associated to Prometei is one other try to additional construct the botnet and increase their operation.”