Prometei: New cryptojacking botnet

[cryptomaniac_xxx]

A new botnet was discovered in the wild by Cisco Talos.



Another very sophisticated crypto jacking botnet:

Prometei is stealing passwords with a modified version of Mimikatz (miwalk.exe). These pass to the spreader module (rdpclip.exe) for parsing and authentication over an SMB session.

Should the credentials fail, the spreader launches a variant of the EternalBlue exploit for distributing and launching the main module (svchost.exe). Svajcer says that the author of the botnet is also aware of the SMBGhost vulnerability, although he did not find evidence of the exploit being used.

The last payload delivered on a compromised system is SearchIndexer.exe, which is version 5.5.3 of the XMRig open-source Monero mining software.

Evasion and anti-analysis
Prometei is unlike most mining botnets. Apart from organizing the tools by their purpose in the attack, it also features anti-detection and analysis evasion attributes.

Its author added layers of obfuscation from early versions of the bot, which grew more complex in later variants. The main module spreads on the network under various names ("xsvc.exe," "zsvc.exe") and uses a different packer that depends on an external file to be properly unpacked.

"In addition to making manual analysis more difficult, this anti-analysis technique also avoids detection in dynamic automated analysis systems" - Vanja Svajcer

Furthermore, Prometei can communicate with the C2 server using TOR or I2P proxies, too, to get instructions and send out stolen data.

The researcher says that the main module can also double as a remote access trojan, although the main functionality is Monero mining and possibly stealing Bitcoin wallets.

Prometei victims are located in the United States, Brazil, Pakistan, China, Mexico, and Chile. In four months, they earned the threat actor less than $5,000, or an average of $1,250 a month.

https://www.bleepingcomputer.com/news/security/new-cryptojacking-botnet-uses-smb-exploit-to-spread-to-windows-systems/

So if you see your Windows machines starting to slow down a bit, you need to sitdown and check everything.

[vapourminer]

i would hope most users would notice the computers cooling system ramping up for no particular reason. although most of my systems noise levels under load are generally the same as idle with my setups as i over build cooling.

although i imagine there are ways a smart programmer could hide this (use a fraction of processing power perhaps)

[khaled0111]

i would hope most users would notice the computers cooling system ramping up for no particular reason. although most of my systems noise levels under load are generally the same as idle with my setups as i over build cooling.

It would be hard for nexperienced users, which are usually the main target of hackers, to notice the difference especially when they use new computers which are totally quiet even under heavy load.
Even if they notice it, they would think that a legitimate program/process is running in the background.

although i imagine there are ways a smart programmer could hide this (use a fraction of processing power perhaps)

it's possible but wouldn't be as profitable as running their victims' CPUs at their max power.

[robelneo]

This is a big cause of concern

Prometei is unlike most mining botnets. Apart from organizing the tools by their purpose in the attack, it also features anti-detection and analysis evasion attributes.

You cannot fix something that you are not aware of working inside of your computer if you cannot trace it in your task manager then you need another tool to trace this botnet and up to date malware removal could trace this and remove there is another form of ransomware now that making around it's called Zida it's old but making a comeback now.

[Yaunfitda]

This is a big cause of concern

Prometei is unlike most mining botnets. Apart from organizing the tools by their purpose in the attack, it also features anti-detection and analysis evasion attributes.

You cannot fix something that you are not aware of working inside of your computer if you cannot trace it in your task manager then you need another tool to trace this botnet and up to date malware removal could trace this and remove there is another form of ransomware now that making around it's called Zida it's old but making a comeback now.

Yes, it is very hard for a user to trace if his system is under attack by this cryptojacking because there is no no way for you to find it out. That's why it still boils down as to how a user is educated to this kind of attacks. No sign but your machine is somewhat lagging or very slow or it is heating? Then for sure something is wrong and it could be this cryptojacking.

[NeuroticFish]

I've said it multiple times: if you use Windows, get Process Explorer (SysInternals/Microsoft) and put it start with the system.
Also make it always visible in tray.
It will show if CPU is used too much and who is using it. It should help find this kind of malware.

[Maus0728]

I've said it multiple times: if you use Windows, get Process Explorer (SysInternals/Microsoft) and put it start with the system.
Also make it always visible in tray.
It will show if CPU is used too much and who is using it. It should help find this kind of malware.

What is the difference between downloading and running Process Explorer and running it from Sysinternals Live? Do I need to pay for this service? This is my first time encountering this kind of an in-depth task manager.

[NeuroticFish]

I don't know what is SysInternals live. I've always downloaded it and kept it on my computer.
SysInternals was bought by Microsoft many years ago, so make sure you download it from Microsoft, not from some strange website.