Updated Prometei botnet evades defenses, mines Monero

A stealthier variant of the Prometei botnet is roiling security teams with improved infrastructure and new capabilities. The stepped-up version’s primary goal aims to deliver to its victim Monero crypto-mining malware and updated credential theft tools.

In a blog post Thursday, Cisco Talos researchers said threat actors are actively spreading an improved third-generation Linux version of the Prometei botnet which it estimates has infected approximately 10,000 systems globally.

“We have observed previously undocumented functionality, including an alternative C2 domain generating algorithm (DGA), a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell that’s deployed onto victim hosts, improving the overall technical capabilities of the botnet,” according to the Cisco report.

The Prometei botnet is highly modular and demonstrates worm-like capabilities, Cisco reported. Its primary goal is to deploy the Monero cryptocurrency miner malware. The botnet , “has been continuously improved and updated since it was first seen in 2016, posing a persistent threat to organizations,” researchers said.  

“Prometei is definitely a dangerous threat,” said Nick Biasini, head of outreach at Cisco Talos. “It has shown the ability to continuously update its infection mechanisms, anti-analysis techniques, and with this recent addition of a Domain Generation Algorithm and self-updating mechanisms, can evade blocking mechanisms more effectively. The payload may primarily be cryptominers, but the additional ability to steal credentials has become increasingly important in a cybercrime landscape dominated by access brokers.”

According to Cisco, prior to the Russian invasion of Ukraine, the threat actor behind the botnet mainly avoided targeting Russia and many of its border states. Those efforts now only include avoiding Russia. Cisco Talos reported that it may indicate a desire to limit the infection of and/or communication to any Russian hosts by the botnet’s author – sending the message that previously excluded border states are now fair game.

Botnets that go beyond DDoS attacks

Botnets have been an issue for well over 20 years, with their capabilities evolving over time to the point where they are multi-function tools that can fill multiple roles, explained Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said the evolution of the Prometei botnet is a good example, and points out that they’re not just used for executing DDoS attacks or spreading spam. 

“It also shows how important cryptocurrency has become in the darknet economy, as well as an alternative to the common ‘ransomware and extort’ business model that’s become common,” said Parkin. “Using their bots to mine for cryptocurrency is much less destructive or intrusive on the host, meaning it’s likely to remain under the radar for much longer than another more aggressive attack might.”

One of the problems criminals have with so many victim machines under their control is how to monetize all of them, said John Bambenek, principal threat hunter at Netenrich. Bambenek said DDoS for hire is highly transient:  there’s only so much spam/phishing they can do, so many have turned to passive income mining Monero, which is easy to do on commodity hardware.

“A typical consumer PC might mine only a few dollars a month in Monero, if your conservative,” said Bambenek. “If you have hundreds of thousands of machines, that’s real money. The likelihood of prosecution in cybercrime is already low, and with crypto mining it’s nonexistent.”

Matthew Fulmer, manager of cyber intelligence engineering at Deep Instinct, added that botnets as a whole are designed to make “zombie” terminals into one large supercomputer to do the bidding of the user in control of the “zombies.”

“It sounds cool, but in practice this requires persistence left on a machine, which increases the chance of being discovered, Fullmer said. “In the grand scheme of things the miner is not the concern. Security teams should worry about machines having a webshell and C2 server running that could allow the pushing of other items to their devices.”