Botnets have been very popular in the world of cybercrime for a while now. Cyber crooks would hijack vulnerable systems en masse and then use them for various nefarious purposes. Older projects would concentrate on carrying out DDoS (Distributed-Denial-of-Service) attacks or mass spam email campaigns.
However, more contemporary projects would, instead, plant a Trojanized cryptomining module. This would allow the botnet operators to use the hardware of the hijacked system to mine for cryptocurrencies. Naturally, all the coins mined by the Trojanized crypto miner would be transferred to the cryptocurrency wallets of the attackers. This is the case with the Prometei Botnet. This botnet project relies on planting a Trojanized cryptocurrency miner, which mines the Monero cryptocurrency (also known as XMR).
Despite the fact that the Prometei Botnet has been spotted only recently, it is likely that this project has been operative for several months. The Prometei Botnet does not only plant cryptocurrency miners on the compromised hosts. This intriguing project also is capable of collecting login credentials from the breached systems using publicly available password recovery tools. The tool utilized by the Prometei Botnet operators is called Mimikatz and is very popular among cybercriminals. The Mimikatz utility is a legitimate password recovery tool that has been hijacked by numerous cybercriminals who have misappropriated it to collect passwords from their targets.
The Prometei botnet uses a number of different modules that can help it shape into a formidable threat. The primary payload consists of four modules. The main botnet module is installed as svchost.exe in the Windows folder, spreading laterally with the module names ''zsvc.exe'' and ''xsvc.exe''.
It's accompanied by a spreader, named rdpclip.exe, coupled with the modified Mimikatz password stealer miwalk.exe. The final module of the primary payload is XMRix v5.5.3, an open-source Monero mining software that gets installed as SearchIndexer.exe in c:\windows\dell. The primary botnet payload also has several other auxiliary modules that help it search for specific files on the system, check if the 445 port is opened, and help it communicate with the C2 servers over TOR.
Once installed, the primary payload will aid the secondary module branch by launching the nvstub.exe file that was previously downloaded as a password-protected 7-Zip archive. Nvstub.exe sets up the environment for other modules. This includes the second bot, nvsync.exe, which is written in .NET, unlike most other modules that are written in either C or C++.
The Prometei Botnet appears to be concentrated in several regions – the United States, China, Pakistan, Brazil, Mexico, and Chile. It would appear that, for the moment, the operators of the Prometei Botnet are only planting cryptocurrency miners on their targets' systems. However, some cybersecurity analysts believe that the Prometei Botnet may possess some hidden features that will allow it to operate as a RAT (Remote Access Trojan).
The Prometei Botnet is a complex project that can prove to be very threatening. This botnet appears to be growing rather fast, so it may likely be back in the news in the near future. It is best to protect your PC with a reputable, up-to-date anti-virus software suite.
Prometei Botnet may call the following URLs: