A heretofore little-seen botnet dubbed Prometei is taking a page from advanced persistent threat (APT) cyberattackers: The malware is exploiting two of the Microsoft Exchange vulnerabilities collectively known as ProxyLogon, in order to drop a Monero cryptominer on its targets.
It’s also highly complex and sophisticated, researchers noted. While cryptojacking is its current game, Cybereason researchers warned that Prometei (the Russian word for Prometheus, the Titan god of fire from the Greek mythology) gives attackers complete control over infected machines, which makes it capable of doing a wide range of damage.
“If they wish to, they can steal information, infect the endpoints with other malware or even collaborate with ransomware gangs by selling the access to the infected endpoints,” Cybereason researcher Lior Rochberger noted in an analysis released Thursday. “[And] since cryptomining can be resource-hogging, it can affect the performance and stability of critical servers and endpoints, ultimately affecting business continuity.”
The report noted that Cybereason has recently seen wide swathes of Prometei attacks on a variety of industries, including construction, finance, insurance, manufacturing, retail, travel and utilities. Geographically speaking, it has been observed infecting networks in the U.S., U.K. and many other European countries, as well as countries in South America and East Asia. It was also observed that the threat actors appear to be explicitly avoiding infecting targets in former Soviet-bloc countries.
“The victimology is quite random and opportunistic rather than highly targeted, which makes it even more dangerous and widespread,” Rochberger said.
Exploiting Microsoft Exchange Security Bugs
ProxyLogon consists of four flaws that can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the deployment of ransomware, or as in this case, cryptominers.
Microsoft last month warned that the bugs were being actively exploited by the Hafnium advanced persistent threat (APT); after that, other researchers said that 10 or more additional APTs were also using them.
When it comes to Prometei, researchers have observed attacks against companies in North America making use of the ProxyLogon bugs tracked as CVE-2021-27065 and CVE-2021-26858. Both are post-authentication arbitrary file-write vulnerabilities in Exchange; once authenticated with an Exchange server, attackers could write a file to any path on the server – thus achieving RCE.
The attackers use the vulnerabilities to install and execute the China Chopper web shell, according to Rochberger. They then use China Chopper to launch a PowerShell, which in turn downloads a payload from an attacker-controlled URL. That payload is then saved and executes, which ultimately starts the Prometei botnet execution.
“Prometei is a modular and multistage cryptocurrency botnet that was first discovered in July 2020 which has both Windows and Linux versions,” explained Rochberger, who added that the botnet could extend back to 2016. “The latest versions of Prometei now provide the attackers with a sophisticated and stealthy backdoor that supports a wide range of tasks that make mining Monero coins the least of the victims’ concerns.”
Prometei Under the Hood
The first module of the botnet, zsvc.exe, copies itself into C:\Windows with the name “sqhost.exe,” and then creates a firewall rule that will allow sqhost.exe to create connections over HTTP, according to the research. It also sets a registry key for persistence, and creates several other registry keys for later command-and-control (C2) communications by additional modules.
“Sqhost.exe is the main bot module, complete with backdoor capabilities that support a wide range of commands,” according to the analysis. “Sqhost.exe is able to parse the prometei.cgi file from four different hardcoded C2 servers. The file contains the command to be executed on the machine. The commands can be used as standalone native OS commands…or can be used to interact with the other modules of the malware.”
It also controls the XMRig cryptominer that the malware installs on the machine, Cybereason noted. The commands on offer include the ability to execute a program or open a file; start or stop the mining process; download files; gather system information; check if a specific port is open; search for specific files or extensions; and update the malware – among other things.
“The malware authors are able to add more modules and expand their capabilities easily, and potentially even shift to another payload objective, more destructive than just mining Monero,” Rochberger warned.
The report noted that the execution of the malware also includes two other “tree processes:” cmd.exe and wmic.exe.
Wmic.exe is used to perform reconnaissance commands, including gathering the last time the machine was booted up, the machine model and more. Meanwhile Cmd.exe is used to block certain IP addresses from communicating with the machine.
“We assess that those IP addresses are used by other malware, potentially miners, and the attackers behind Prometei wanted to ensure that all the resources of the network are available just for them,” Rochberger explained.
Lateral Malware Movement: Additional Malicious Modules
Prometei uses different techniques and tools, ranging from Mimikatz to the EternalBlue and BlueKeep exploits, along with other tools that all work together to propagate across the network, according to the analysis. To carry all of this out, the main botnet module downloads additional modules, including four main components:
- exe and an archived file, Netwalker.7z (7zip is used to extract the files in the archive)
Exchdefender masquerades as a made-up program called “Microsoft Exchange Defender.” It constantly checks the files within a program files directory known to be used to host web shells, looking for one file in particular, according to Cybereason.
“The malware is specifically interested in the file ‘ExpiredPasswords.aspx’ which was reported to be the name used to obscure the HyperShell backdoor used by APT34 (aka. OilRig),” Rochberger said. If the file exists, the malware immediately deletes it. Our assessment is that this tool is used to “protect” the compromised Exchange Server by deleting potential WebShells so Prometei will remain the only malware using its resources.”
The Netwalker.7z archive meanwhile is password-protected, using the password “horhor123.” The archive contains the following files: Nethelper2.exe, Nethelper4.exe, Windrlver.exe, a few DLLs,a copy of RdpcIip.exe and a few DLLs used by the bot components.
RdcIip.exe is a key component of the malware, used for harvesting credentials and spreading laterally across the network, Rochberger explained. It also tries to propagate within the network environment by brute-forcing usernames and passwords using a built-in list of common combinations, he said.
If that doesn’t work, it turns to the SMB shared-drive exploit EternalBlue to execute a shell code for installing the main bot module Sqhost.exe. To use the exploit, the malware downgrades the SMB protocol to SMB1, which is vulnerable to it. Cybereason also observed the module using the Remote Desktop Protocol (RDP) exploit BlueKeep.
Interestingly, RdpcIip also can coordinate other components of the bot such as Windlver.exe, which is an OpenSSH and SSLib-based software that the attackers created so they can spread across the network using SSH, the report noted.
“[RdpcIip] has huge (trust us, huge) functionality with different branches with the main purpose being to interact with other components of the malware and make them work all together,” Rochberger said.
And finally, Miwalk.exe is a customized version of the Mimikatz credential-finding tool that RdpcIip.exe launches. The output is saved in text files and used by RdpcIip as it tries to validate the credentials and spread, according to the analysis.
Taking a Page from APTs
The group behind Prometei is financially motivated and operated by Russian-speaking individuals but is not backed by a nation-state, according to Cybereason. Nonetheless, the malware’s sophistication and rapid incorporation of ProxyLogon exploits shows advanced capabilities that could make the botnet a serious danger in terms of espionage, information theft, follow-on malware and more, Rochberger warned.
“Threat actors in the cybercrime community continue to adopt APT-like techniques and improve the efficiency of their operations,” he explained. “Prometei is a complex and multistage botnet that, due to its stealth and wide range of capabilities, puts the compromised network at great risk…The threat actors rode the wave of the recently discovered flaws and exploited them in order to penetrate targeted networks. We anticipate continued evolution of the advanced techniques being used by different threat actors for different purposes, including cybercrime groups.”
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!