A new botnet was discovered in the wild by
Cisco Talos.Another very sophisticated crypto jacking botnet:
Prometei is stealing passwords with a modified version of Mimikatz (miwalk.exe). These pass to the spreader module (rdpclip.exe) for parsing and authentication over an SMB session.
Should the credentials fail, the spreader launches a variant of the EternalBlue exploit for distributing and launching the main module (svchost.exe). Svajcer says that the author of the botnet is also aware of the SMBGhost vulnerability, although he did not find evidence of the exploit being used.
The last payload delivered on a compromised system is SearchIndexer.exe, which is version 5.5.3 of the XMRig open-source Monero mining software.
Evasion and anti-analysis
Prometei is unlike most mining botnets. Apart from organizing the tools by their purpose in the attack, it also features anti-detection and analysis evasion attributes.
Its author added layers of obfuscation from early versions of the bot, which grew more complex in later variants. The main module spreads on the network under various names ("xsvc.exe," "zsvc.exe") and uses a different packer that depends on an external file to be properly unpacked.
"In addition to making manual analysis more difficult, this anti-analysis technique also avoids detection in dynamic automated analysis systems" - Vanja Svajcer
Furthermore, Prometei can communicate with the C2 server using TOR or I2P proxies, too, to get instructions and send out stolen data.
The researcher says that the main module can also double as a remote access trojan, although the main functionality is Monero mining and possibly stealing Bitcoin wallets.
Prometei victims are located in the United States, Brazil, Pakistan, China, Mexico, and Chile. In four months, they earned the threat actor less than $5,000, or an average of $1,250 a month.
https://www.bleepingcomputer.com/news/security/new-cryptojacking-botnet-uses-smb-exploit-to-spread-to-windows-systems/So if you see your Windows machines starting to slow down a bit, you need to sitdown and check everything.