Prometei Botnet Exploits Unpatched Microsoft Exchange Vulnerabilities for Propagation

Security researchers reveal a significant shift in malicious tactics of the Prometei botnet, which is now capable of leveraging the “ProxyLogon” exploit for Windows Exchange servers to penetrate the targeted network and drop cryptojacking malware onto users’ machines. Although the main objective is to mine Monero by exploiting the processing powers of the infected instances, the broad functionality of Prometei allows its operators to perform a variety of other highly sophisticated attacks compared to APT intrusions in its complexity.

Prometei Botnet Overview

Prometei is a multi-stage cryptojacking botnet able of targeting both Linux and Windows machines. Although it was first discovered in 2020, security researchers believe that Prometei initially emerged in 2016, covertly evolving and adding new modules since then. The main goal of the botnet is to enslave devices to the malicious network and mine Monero coins via its processing powers. To achieve this objective, Prometei maintainers apply a broad variety of malicious tools, including Mimikatz, credentials harvesting, SMB, and RDP exploits, SQL spreaders as well as other nefarious tactics powering successful propagation and further infections. 

The latest version of Prometei received a significant upgrade allowing the threat to act as a stealthy backdoor with plenty of sophisticated functions. The analysis from Cybereason indicates that Prometei operators can now steal data from the targeted network, infect endpoint with second-stage malware, or even partner with ransomware gangs by selling access to the compromised infrastructure.

Although there is no much information about Prometei maintainers, security experts believe that a financially motivated Russian-speaking group might stand behind this project. Such an assumption is proved by the fact that the botnet avoids infecting users within the former Soviet Union region.

Microsoft Exchange Zero-Days Exploitation

The latest version of Prometei has been equipped with a set of recently discovered Microsoft Exchange zero-day exploits (CVE-2021-26858, CVE-2021-27065), which allows authenticated hackers to write a file to any path on the vulnerable Exchange server and achieve remote code execution. According to Cybereason, botnet operators rely on these bugs to install and execute China Chopper, which further launches a PowerShell able to download Prometei payload via malicious URL.

Notably, the same Microsft Exchange vulnerabilities were actively exploited in the wild by the China-affiliated HAFNIUM APT group as well as other nation-state actors during March 2021. Although Prometei maintainers are believed to be financially motivated actors with no ties to state-sponsored hackers, the broad toolset and increasing complexity of malicious approaches put them on the list of advanced threats posing serious danger in terms of cyber-espionage, data theft, and malware delivery.

Ongoing Malicious Campaign

According to Cybereason, the ongoing Prometei activity is rather opportunistic and attempts to infect any unpatched instance relying on Microsoft Exchange. The list of targets includes multiple companies working in the banking, insurance, retail, and construction sectors across the US, South America, Europe, and East Asia.

Upon infection, Prometei launches its first module (zsvc.exe), responsible for achieving persistence and establishing command-and-control (C&C) communication with the attacker’s server. This module has broad backdoor capabilities and controls the XMRig cryptominer installed onto the targeted PC. it might launch such commands as program execution, file opening, starting or stopping the mining process, file downloading, gathering systems information, and more. If needed, the malware operators might add more modules to power the malicious capabilities of Prometei and promote its functions far beyond simple Monero mining.

Notably, Prometei execution also launches two other malicious processes (cmd.exe and wmic.exe), which are used to perform reconnaissance and block certain IP addresses from communicating with the infected device. This is presumably done to ensure that no other miners are present on the network and all resources are at Prometei’s service.

Prometei Botnet Detection

To protect your company infrastructure from Prometei botnet infections, you can download a community Sigma rule released by our keen Threat Bounty developer Kyaw Pyiyt Htet: 

https://tdm.socprime.com/tdm/info/G04clREUa9nu/#rule-context

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, FireEye Helix

MITRE ATT&CK:

Tactics: Defense Evasion, Credential Access

Techniques: Credential Dumping (T1003), Masquerading (T1036)

Also, to prevent possible attacks relying on Microsoft Exchange zero-days, you can download tailored detection rules available in Threat Detection Marketplace. 

Rules covering CVE-2021-26858 exploit

Rules covering CVE-2021-27065 exploit 

Subscribe to Threat Detection Marketplace for free to boost your cyber defense capabilities with our 100K+ detection algorithms and threat hunting queries mapped to CVE and MITRE ATT&CK® frameworks. Eager to monetize your threat hunting skills and craft your own Sigma rules? Join our Threat Bounty Program!

Go to Platform Join Threat Bounty