Cybereason discovers Global Botnet Campaign leveraging Microsoft Exchange vulnerability

Cybereason, announced the discovery of a new, highly targeted botnet campaign, using the stealthy, pervasive, Prometei Botnet, to target companies around the world with a multi-pronged attack that looks to steal bitcoin and data from corporate networks. The threat actor, a Russian speaker, is taking advantage of Microsoft Exchange vulnerabilities to penetrate random networks. This threat has likely resulted in steep financial and data losses for companies.

Prometei has a diverse infrastructure designed to ensure it stays alive with infected machines being part of the botnet. Over the years, different Prometei C2 servers were taken down by authorities, and the attackers worked around it. While Prometei was first reported on in July 2020, Cybereason believes it dates back to at least 2016, a year before the now infamous WannaCry and NotPetya malware attacks that affected more than 200 countries and caused billions in damages. Prometei continues to evolve with new features and tools regularly observed.

“The Prometei Botnet poses a big risk for companies because it has been under reported. When the attackers take control of infected machines, they are not only capable of stealing bitcoin, but sensitive information as well. If they desire to do so, the attackers can also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints. And to make matters worse, cryptomining drains network computing power, impacting business continuity and the performance and stability of critical servers” said Assaf Dahan, senior director, head of threat research, Cybereason.

Victims have been observed across a variety of industries, including: Finance, Insurance, Retail, Manufacturing, Utilities, Travel and Construction. Infected companies are based in countries around the world, including the United States, United Kingdom, Germany, France, Spain, Italy and other European countries, South America and East Asia.

The threat actor appears to be Russian speaking and is purposely avoiding infections in former Soviet bloc countries. The main objective of Prometei is to install the Monero crypto miner on corporate endpoints. To spread across networks, the threat actor is using known Microsoft Exchange vulnerabilities, in addition to known exploits EternalBlue and BlueKeep.

Prometei has both Windows based and Linux-Unix based versions, and it adjusts it’s payload based on the detected operating system, on the targeted infected machines when spreading across the network. Cybereason believes the Prometei Botnet operator is financially-motivated and hoping to earn hefty sums of bitcoin but is not backed by a nation-state. Prometei is built to interact with four different command and control (C2) servers which strengthens the botnet’s infrastructure and maintains continuous communications, making it more resistant to takedowns.