Man
Professional
- Messages
- 3,038
- Reaction score
- 561
- Points
- 113
Unupdated systems become easy prey for the digital predator.
The eight-year-old 'Prometei' botnet continues to infect systems around the world, spreading cryptojacking programs and web shells. It was first discovered in 2020, however, data from researchers shows that it has been active since 2016. During this time, it has infiltrated more than 10,000 computers in countries such as Brazil, Indonesia, Turkey, and Germany.
Prometei actively exploits vulnerabilities in widespread software, penetrating systems with insufficient protection. According to Calli Gunther, Threat Research Manager at Critical Start, the botnet spreads through weak configurations and unsecured servers. It targets regions with low cybersecurity, avoiding geographical restrictions and capitalizing on systemic flaws.
A recent report from Trend Micro describes how Prometei initially acts quite clumsily, making many failed login attempts, but then covertly exploits old vulnerabilities. One such vulnerability is BlueKeep, which allows code to be executed remotely and is still found in legacy RDP systems. It also uses EternalBlue for distribution via the SMB protocol and tries to bypass ProxyLogon protection by identifying unprotected Exchange servers.
The goal of the "Prometei" attacks is to find systems that are left without regular updates. According to Qualys expert Mayures Dani, the botnet is primarily looking for easy targets. This approach allows attackers to minimize resistance and get the most out of unprotected resources.
After penetrating the system, the botnet uses the Domain Generation Algorithm (DGA) to maintain communication with the command-and-control servers, even if some domains are blocked. The program also forcibly activates the legacy WDigest protocol to extract passwords in plain text and bypasses Windows Defender protection by excluding key libraries from scanning.
The main goal of Prometei remains the hidden mining of the Monero cryptocurrency on infected devices. In addition, the botnet installs a web shell through the Apache server, allowing the attackers to download additional files and run arbitrary commands.
The researchers note that the presence of cryptominers in the system, such as in the Prometei campaigns, may indicate more serious attacks. As Trend Micro's Stephen Hilt mentioned, a botnet is often a harbinger of other threats, as has already been observed with LemonDuck, which combined cryptojacking and extortion.
The name "Prometei" refers to the mythological Prometheus, whose liver recovered daily after being attacked by an eagle, symbolically reminding of the botnet's resilience even after attempts to eliminate it.
Source
The eight-year-old 'Prometei' botnet continues to infect systems around the world, spreading cryptojacking programs and web shells. It was first discovered in 2020, however, data from researchers shows that it has been active since 2016. During this time, it has infiltrated more than 10,000 computers in countries such as Brazil, Indonesia, Turkey, and Germany.
Prometei actively exploits vulnerabilities in widespread software, penetrating systems with insufficient protection. According to Calli Gunther, Threat Research Manager at Critical Start, the botnet spreads through weak configurations and unsecured servers. It targets regions with low cybersecurity, avoiding geographical restrictions and capitalizing on systemic flaws.
A recent report from Trend Micro describes how Prometei initially acts quite clumsily, making many failed login attempts, but then covertly exploits old vulnerabilities. One such vulnerability is BlueKeep, which allows code to be executed remotely and is still found in legacy RDP systems. It also uses EternalBlue for distribution via the SMB protocol and tries to bypass ProxyLogon protection by identifying unprotected Exchange servers.
The goal of the "Prometei" attacks is to find systems that are left without regular updates. According to Qualys expert Mayures Dani, the botnet is primarily looking for easy targets. This approach allows attackers to minimize resistance and get the most out of unprotected resources.
After penetrating the system, the botnet uses the Domain Generation Algorithm (DGA) to maintain communication with the command-and-control servers, even if some domains are blocked. The program also forcibly activates the legacy WDigest protocol to extract passwords in plain text and bypasses Windows Defender protection by excluding key libraries from scanning.
The main goal of Prometei remains the hidden mining of the Monero cryptocurrency on infected devices. In addition, the botnet installs a web shell through the Apache server, allowing the attackers to download additional files and run arbitrary commands.
The researchers note that the presence of cryptominers in the system, such as in the Prometei campaigns, may indicate more serious attacks. As Trend Micro's Stephen Hilt mentioned, a botnet is often a harbinger of other threats, as has already been observed with LemonDuck, which combined cryptojacking and extortion.
The name "Prometei" refers to the mythological Prometheus, whose liver recovered daily after being attacked by an eagle, symbolically reminding of the botnet's resilience even after attempts to eliminate it.
Source
