In the latest slew of attacks against the infamous Exchange ProxyLogon flaws, cybercriminals are infecting systems and adding them to the cryptocurrency-mining Prometei botnet.
Researchers with Cybereason on Thursday said they have observed attacks targeting thousands of machines across companies in North America. The cybercriminals behind these attacks are targeting two flaws – part of a collection of previously-disclosed Microsoft Exchange vulnerabilities – in order to initially infect the network and install malware. The end goal of the attack is to add the infected systems to the modular Prometei botnet, which mines Monero coins.
“As observed in the recent Prometei attacks, the threat actors rode the wave of the recently discovered Microsoft Exchange vulnerabilities and exploited them in order to penetrate targeted networks,” said Lior Rochberger, security researcher with Cybereason. “We anticipate continued evolution of the advanced techniques being used by different threat actors for different purposes, including cybercrime groups.”
When researchers with Cisco Talos first uncovered the Prometei botnet in July, they believed the botnet was active since March 2020. As part of their new report, Cybereason researchers now believe that the botnet has been in the wild as far back as 2016. That’s because a deep-dive investigation into the botnet’s infrastructure revealed that a Prometei.cgi file – which contains commands for the botnet to execute on infected machines – dates back to May 2016.
In addition, researchers found that the botnet’s operators have expanded their initial infection vectors. Previously, the actor employed various methods to spread across the network, such as stolen credentials and SMB exploits. This latest slew of attacks, however, show the botnet operators now relying on several of the Microsoft Exchange vulnerabilities known collectively as ProxyLogon, which are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. Microsoft released a patch in March for the flaws, which can be chained together to create a pre-authentication remote code execution (RCE) exploit.
Cybercriminals behind Prometei have specifically honed in on CVE-2021-27065 and CVE-2021-26858 in order to perform remote code execution on the vulnerable devices. They first install and execute the China Chopper webshell, which is used to launch a PowerShell and ultimately download the payload. The payload, saved as C:windowszsvc.exe, marks the start of the Prometei botnet execution.
Once downloaded, the botnet then executes various modules, including the zsvc.exe module that “prepares the ground” for other modules and sets up a registry key for persistence; the RdpcIip module, which harvests credentials and spreads across the network using stolen credentials; and the Sqhost.exe module, which contains backdoor capabilities to support a range of commands. One of these commands is to start the mining process by launching the miner (SearchIndexer.exe).
Rochberger said, researchers cannot estimate with certainty the amount that cybercriminals have profited from the compromises.
“Around March 2021, we noticed that one of the wallets used by Prometei was banned due to reports of botnet mining,” said Rochberger. “That being said, it is very easy to set up multiple wallets, and we cannot be sure how many wallets are used by the group.”