Monero-mining botnet targets orgs through recent MS Exchange vulnerabilities

The recent Microsoft Exchange Server vulnerabilities might have initially been exploited by a government-backed APT group, but cybercriminals soon followed suit, using them to deliver ransomware and grow their botnet.

One perpetrator of the latter activities is Prometei, a cross-platform (Windows, Linux), modular Monero-mining botnet that seems to have flown under the radar for years.

The attackers’ modus operandi

Cybereason incident responders have witnessed instances of the botnet enslaving endpoints of companies across the globe, in a variety of industries.

“The victimology is quite random and opportunistic rather than highly targeted, which makes it even more dangerous and widespread,” shared Lior Rochberger, senior threat researcher at Cybereason.

One thing that the responders noticed, though, is that the botnet avoids targets in former Soviet bloc countries. For these reasons and others, they believe it is operated by Russian-speaking cybercriminals and not state-sponsored threat actors.

Aside from exploiting CVE-2021-27065 and CVE-2021-26858, two MS Exchange vulnerabilities, the botnet also uses known exploits (EternalBlue and BlueKeep) to leverage old security issues in the SMB and RDP protocols and brute-forces SSH credentials to spread to as many endpoints on the compromised network as possible.

Prometei’s attack sequence

The malware is also adept at remaining hidden from defenders and preventing other potential attackers from using the compromised endpoints.

It uses a variety of persistence techniques and create firewall rules and registry keys to make sure communication with C&C servers can be established. It uses a customized version of Mimikatz to harvest credentials.

It also adds firewall rules to block certain IP addresses used by other (crypto-mining) malware, and uses a module that masquerades as a legitimate Microsoft endpoint security program to constantly check a directory often used to host web shells.

“The malware is specifically interested in the file ‘ExpiredPasswords.aspx’, which was reported to be the name used to obscure the HyperShell backdoor used by APT34 (aka. OilRig). If the file exists, the malware immediately deletes it,” Rochberger explained.

“Our assessment is that this tool is used to ‘protect’ the compromised Exchange Server by deleting potential WebShells so Prometei will remain the only malware using its resources.”

An old threat?

Prometei was first discovered and documented by Cisco Talos researchers in 2020, but Cybereason researchers found evidence that it might date back as far as 2016 and has been evolving ever since, adding new modules and techniques to its capabilities.

“During our investigation, we found different components of the old infrastructure that are now sinkholed, taken down,” Assaf Dahan, Senior Director, Head of Threat Research, Cybereason, told Help Net Security.

“Between 2019-early 2020, the operators of Prometei made some significant changes to the botnet, which included using 4 different C2 servers embedded in the code – in an attempt to make the botnet more resilient to takedowns. We assess that the latest surge of compromises related to Prometei is another attempt to further build the botnet and expand their operation.”