Threat Watch

Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities

Prometei is a cross-platform botnet first observed in July of 2020. Initially the botnet used SMB brute-forcing methods and exploits such as Eternal Blue to initially infect systems. Recently Cybereason responded to multiple incidents involving Prometei where it used CVE-2021-27065 and CVE-2021-26858 to initially infect targeted systems. This malware is opportunistic, infecting machines across multiple countries and industry. One interesting finding is it seems to explicitly avoid infections in former Soviet countries.

Prometei is advanced in nature. It contains multiple modules, including more than 15 executable files, in the chain of infection. There are multiple commands supported with the main objective observed as mining Monero cryptocurrency. The malware operators have the option to harvest credentials among other data and maintain persistence allowing for collaboration between other threat groups for further operations.


While crypto-mining botnets aren’t new they are expanding capabilities and objectives such as Prometei. It is important to take this threat seriously because more destructive malware could be loaded after the crypto-mining operation is complete. This is a modular botnet with development and evolution leading researchers to believe it to be authored and backed by a more sophisticated dev/threat group. As a point of emphasis, this botnet is cross-platform adjusting its payload and delivery methods to the platform it finds itself infecting. Incident response stops the damage after the fact, however when those teams are supplemented with proper threat research and proactive threat hunting, it reduces the time to detection and minimizes the risk of harm from the malware. With proper attention, researchers and hunters craft detections that are able to cut the attackers off in the early stages of infection before further compromise and manipulation of data occurs. Binary Defense provides Threat Hunting services, working closely with Counterintelligence to supplement Security Operations Center monitoring.