Cisco’s Talos Intelligence recently analyzed a complex Monero botnet they are calling “Prometei.” Prometei attempts to spread using credentials stolen with a modified Mimikatz module, later deploying with PsExec, Remote Desktop and WMI. If these methods fail, it also takes advantage of SMB exploits. Talos researchers were able to discover more than 15 different modules used by the botnet. All modules were controlled by a single module disguising itself as “svchost.exe” which is normally a service that can be expected on a Windows machine. This module stays in constant communication with the Command and Control (C2) server over HTTP, using RC4 to send encrypted data. Any possible administrative credentials discovered through the Mimikatz module are sent to the C2 for use later.
Of the 15+ modules discovered, Prometei has two distinct types of modules. The main modules are used for the cryptocurrency-related functions, credential theft, lateral movement and C2 communication. All main modules were developed in C++. The second type of modules, created in .NET, deal with attempts at brute-forcing credentials over Remote Desktop Protocol (RDP) and SMB. It also contains a module which communicates with its own C2 and contains possible code for crypto mining, but this code has not been observed to be in use.
Although Prometei is primarily a cryptocurrency botnet, it does contain functionality to behave as a Remote Access Trojan (RAT). Talos has detailed over 20 possible commands a bot could expect to receive. Notable actions taken by the commands include:
- Executing another application
- Redirect a shell over HTTP
- Execute commands
- Get or set an encryption key
- Update C2 address
- Download files
- Start or stop mining