Talos, Cisco’s investigative intelligence and security division, released a report on the Prometei botnet, and how it has evolved since its first detection in 2020. Infections are geographically indiscriminate and opportunistic, with most reported victims in Brazil, Indonesia, and Turkey.
Prometei, first observed in 2016, is a modular botnet featuring a large repertoire of components and various proliferation methods, some of which also include exploiting Microsoft Exchange Server ProxyLogon flaws. It is also notable for avoiding attacking Russia, suggesting that the threat actors behind the operation are likely based in the country.
The investigation highlighted that Prometei manages to bypass the security measures of Windows and Linux, acquiring administrator permissions, thus being able to control the resources of the PC.
Prometei developers have included a system for updating their software through a remote server and this makes it more difficult for antivirus to detect this malware. The affectation of the computer can have multiple origins, such as malicious .ZIP files, or involuntary downloads from infected websites, even via e-mail.
In practice, a mining malware can mine any cryptocurrency (as long as the resources of the affected computer allow it). However, since the goal of criminals is to remain undetected, Monero turns out to be the most attractive option for this threat.
This recent addition of new capabilities indicates that Prometei operators are continually updating the botnet and adding functionality so taking security measures is of the utmost importance.
