Cisco Systems: New cryptojacking botnet named Prometei mines Monero and steals data from the victims

According to ZDNet, the threat intelligence team at Cisco Systems
has detected a new malware, called Prometei, which specializes in exploiting Monero (XMR) and stealing data from computer systems.


Cisco Talos explained that the Prometei malware has been making the rounds since March 2020

The new botnet is considered noteworthy as it uses an extensive modular system and a variety of techniques to compromise systems and hide its presence from end-users to mine for Monero (XMR). It relies on 15 executable modules to recover administrator passwords from the infected computer. The botnet is organized into two main function branches: one C ++ branch dedicated to cryptocurrency mining operations, and one – based on .NET – which focuses on credential theft, the abuse of SMB, and obfuscation.

Prometei’s infection chain begins with the attempted compromise of a machine’s Windows Server Message Block (SMB) protocol via SMB vulnerabilities, including Eternal Blue.

However, according to some information, the botnet has been operating since May. Valid passwords are verified by sending them to a control server connected to other networks. Once the malware has access to administrative privileges, it will record all the data on the system.

Cisco Talos estimates:

“The botnet may contain up to 10,000 systems at any point in time. As of today, the botnet is still running with a hash generating frequency of more than 1M Hash/sec (million hashes per second).”

The researchers stated:

“Mimikatz and brute-force attacks are used to scan for, store, and try out stolen credentials, and any passwords discovered are sent to the operator’s command-and-control (C2) server for reuse by “other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols.”

Vanja Svajcer, a researcher at Cisco Talos, stated:

“Prometei earns its owner around 1500 USD per month. Although this does not sound like much compared with other quoted figures, it comfortably earns well over an average salary in some countries.”

Svajcer explained:

“Stealing credentials is the most dangerous part of the Prometei botnet. You could consider the attacker with its bot being a burglar in your home. Naturally, the burglar searches all the drawers and finds various keys. They take keys with them and ask somebody else (another infected system) to check if any of the keys work on your car, safe deposit box, etc. Obviously, when criminals break into a house, it opens up a whole new set of opportunities. It is very similar to this botnet.”

Research shows that Prometei makes a moderate profit for a single developer that’s likely based in Eastern Europe. However, Prometei C2 requests have been detected from countries including the US, Brazil, Turkey, China, and Mexico. The malware targeted old vulnerabilities in the Windows operating system in an attempt to exploit Monero.

Read more:

Join us on Telegram

Follow us on Twitter

Follow us on Facebook

You might also like