The Prometei botnet, a modular malware that has been active since 2016, has returned with a new version, Prometei v3, which has infected over 10,000 systems worldwide since November 2022.
The botnet is geographically opportunistic, with most victims reported in Brazil, Indonesia, and Turkey. The botnet is known for its large repertoire of components and multiple proliferation methods, including exploiting ProxyLogon Microsoft Exchange Server vulnerabilities. The botnet’s primary motivation is financial gain, as it mines cryptocurrency and harvests credentials from infected hosts.
Prometei v3 has improved its existing features to make forensic analysis more challenging and to further burrow its access on victim machines. After gaining a successful foothold, a PowerShell command downloads the botnet malware from a remote server, and the main module retrieves the actual crypto-mining payload and other auxiliary components on the system.
Support modules function as spreader programs designed to propagate the malware through Remote Desktop Protocol (RDP), Secure Shell (SSH), and Server Message Block (SMB).
Prometei v3 uses a domain generation algorithm (DGA) to build out its command-and-control (C2) infrastructure, packs in a self-update mechanism, and expands the set of commands to harvest sensitive data and commandeer the host.
The malware deploys an Apache web server bundled with a PHP-based web shell that can execute Base64-encoded commands and carry out file uploads. Talos noted that this new version aligns with previous assertions by threat researchers that the Prometei operators continuously update the botnet and add functionality.
Prometei v3 is notable for avoiding targeting Russia, suggesting that the threat actors behind the operation are likely based in the country. The infections have been indiscriminate, infecting systems across the globe, making it a significant threat to cybersecurity.
Organizations should take steps to secure their systems and networks, including applying software updates and patches and monitoring for unusual network activity. Additionally, they should have backup and recovery plans in place to minimize the damage caused by an attack.
