Prometei is a cross-platform botnet first observed in July of 2020. Initially the botnet used SMB brute-forcing methods and exploits such as Eternal Blue to initially infect systems. Recently Cybereason responded to multiple incidents involving Prometei where it used CVE-2021-27065 and CVE-2021-26858 to initially infect targeted systems. This malware is opportunistic, infecting machines across multiple countries and industry. One interesting finding is it seems to explicitly avoid infections in former Soviet countries.
Prometei is advanced in nature. It contains multiple modules, including more than 15 executable files, in the chain of infection. There are multiple commands supported with the main objective observed as mining Monero cryptocurrency. The malware operators have the option to harvest credentials among other data and maintain persistence allowing for collaboration between other threat groups for further operations.