Cryptomining Botnet Exploits Windows SMB VulnerabilitiesCisco Talos Researchers Say 'Prometei' Used to Mine Monero
A previously undetected botnet called "Prometei" is targeting vulnerable Microsoft Windows devices by brute-forcing SMB vulnerabilities to mine monero cryptocurrency, according to Cisco Talos.
Several thousand devices have been infected since the botnet first appeared in March, but the operation has only generated just under $5,000 in profits during its four-month run, the Cisco Talos researchers say in a new report.
"The botnet was active as early as the beginning of March, but it seems to have been dealt a blow by the takeover of one of its [command-and-control] servers on June 8," researcher Vanja Svajcer notes. "But this takeover didn't stop its mining capabilities or the validation of stolen credentials. The botnet continues to make a moderate profit for a single developer, most likely based in Eastern Europe."
Svajcer notes that if the solo operator was earning about $1,250 a month from the botnet, it would be more than the average monthly salary in many Eastern European countries.
In addition to cryptomining, the researchers found the botnet is capable of stealing administrative credentials and is armed with advanced security evasion techniques.
Exploiting SMB Flaws
Prometei's attacks begin with the operators exploiting the Windows Server Message Block protocol through the EternalBlue vulnerability and using passwords retrieved from Mimikatz, an open-source credential authentication application, according to the report.
To spread laterally through the SMB protocol, the Cisco researchers say the botnet operators use the RdpcIip.exe spreader module.
"The spreader attempts to establish and authenticate an SMB session using stolen credentials or a guest account without a password and copying the main bot module as xsvc.exe or zsvc.exe to the target system," according to the report.
If successful, the spreader uses Windows applications such as the PsExec command-line tool or Windows Management Instrumentation to remotely launch the botnet. If the spreader attempt is unsuccessful, the attackers launch the botnet using variants of the Eternal Blue exploit, the researchers say.
Prometei is not the first cryptomining botnet to leverage the Eternal Blue vulnerability. In June, researchers discovered another botnet called Kingminer that targeted Microsoft SQL Servers by exploiting the EternalBlue and BlueKeep vulnerabilities (see: Kingminer Botnet Targeting SQL Servers for Cryptomining).
Launching The Cryptominer
Once the attackers successfully brute-force the system, the botnet begins its operation. Its main module uses a .NET framework written in C# that handles credential theft, the abuse of SMB and obfuscation. A secondary module coded in C++ takes care of the cryptocurrency mining, according to the report.
"The main branch also has auxiliary modules that provide the ability to communicate by proxying communications over TOR or I2P networks, collecting information about processes running on the system, checks of open ports on target systems and crawling the file systems in search for file names given as the argument to the module, typically bitcoin cryptocurrency wallets," the report notes.
In the final stage of the attack, the botnet deploys XMRig - monero mining software.
Other Cryptomining Schemes
In recent months, security researchers have detected several cryptomining schemes.
In June, Microsoft's Azure Security Center detected a new hacking campaign targeting the Kubeflow platform on Kubernetes, which uses the XMRig cryptominer to mine for monero across multiple clusters (see: Kubeflow Targeted in XMRig Monero Cryptomining Campaign).
In April, researchers at the security firm Guardicore Labs discovered a botnet called Vollagar that exploited vulnerable SQL Servers for cryptomining (see: Botnet Targets Devices Running Microsoft SQL Server: Report).