Security News > 2021 > April > Prometei Botnet Could Fire Up APT-Style Attacks
A heretofore little-seen botnet dubbed Prometei is taking a page from advanced persistent threat cyberattackers: The malware is exploiting two of the Microsoft Exchange vulnerabilities collectively known as ProxyLogon, in order to drop a Monero cryptominer on its targets.
The report noted that Cybereason has recently seen wide swathes of Prometei attacks on a variety of industries, including construction, finance, insurance, manufacturing, retail, travel and utilities.
"Prometei is a modular and multistage cryptocurrency botnet that was first discovered in July 2020 which has both Windows and Linux versions," explained Rochberger, who added that the botnet could extend back to 2016.
"Sqhost.exe is able to parse the prometei.cgi file from four different hardcoded C2 servers. The file contains the command to be executed on the machine. The commands can be used as standalone native OS commandsor can be used to interact with the other modules of the malware."
Our assessment is that this tool is used to "Protect" the compromised Exchange Server by deleting potential WebShells so Prometei will remain the only malware using its resources.
The malware's sophistication and rapid incorporation of ProxyLogon exploits shows advanced capabilities that could make the botnet a serious danger in terms of espionage, information theft, follow-on malware and more, Rochberger warned.