There is a new cryptojacking botnet in town, designed to brute force into as many devices as possible and mine Monero (XRM) cryptocurrency on behalf of its operators.
According to researchers at Cisco Talos, the Prometei botnet has been active since March and uses a combination of living-off-the-land binaries (LoLBins) like PsExec and WMI, SMB exploits, and stolen credentials to move from one device to another.
The researchers discovered a total of 15 attack components, all of which are managed by the main module, responsible for encrypting data before it is sent on to the CnC server. Cisco Talos believes all of the different botnet modules are controlled by a single entity.
“Apart from a large focus on spreading across the environment, Prometei also tries to recover administrator passwords. The discovered passwords are sent to the C2 and then reused by other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols,” the researchers claim.
The botnet also delivers password-stealing Mimikatz malware onto infected networks. Once the malware has lifted account credentials, it uses a version of the EternalBlue exploit to launch the main module: SearchIndexer.exe (the Monero miner).
To make matters worse, Prometei also boasts a deep set of anti-detection and analysis evasion features, designed to help the botnet evade security analysis.