Posted inThreats & Vulnerabilities

Prometei Botnet Continues Cryptocurrency Mining Operations with New Brute Force Strategy

No Comments

TL;DR: The Prometei botnet is back with a more aggressive brute force strategy, infiltrating weak systems to mine Monero cryptocurrency while also stealing credentials and spreading across networks. First detected in 2020, this botnet has evolved to become more resilient, using PowerShell scripts, the Tor network, and persistent backdoors to avoid detection. If left unchecked, Prometei can cripple business operations by draining system resources, increasing energy costs, and exposing sensitive data. Discover how Prometei works, why it’s a persistent threat, and learn five crucial steps to defend your organization from this growing cyber menace!

The Evolving Threat of Prometei: How a Cryptomining Botnet Is Wreaking Havoc with Brute Force Attacks

In a world increasingly reliant on digital infrastructure, cyber threats have grown exponentially more sophisticated. Among these, the Prometei botnet stands out for its relentless pursuit of cryptocurrency mining using compromised systems. Prometei has adapted and evolved its tactics, now using a more aggressive brute force strategy to infiltrate networks. Initially uncovered through Trend Micro’s Managed Extended Detection and Response (MXDR) services, the botnet’s latest developments were documented in a comprehensive analysis. You can read more about their findings here.

This article takes a closer look at Prometei’s recent operations, how it uses brute force attacks to infiltrate systems, and what businesses can do to defend against it. We’ll also explore the broader implications of cryptomining malware, offering a fresh perspective on how to curb its profitability.

What is Prometei? A Quick Overview

Prometei is far from an ordinary botnet. First officially identified in July 2020, this modular malware has grown in both complexity and functionality, evolving into a multifaceted cyber threat. While its primary objective is cryptocurrency mining, specifically targeting Monero (XMR), its operations extend well beyond cryptomining, making it a highly adaptable and dangerous tool in the hands of cybercriminals.

Prometei doesn’t just sap computing power to mine cryptocurrency—it takes full advantage of compromised systems. Once inside, Prometei can steal sensitive credentials, enabling attackers to escalate privileges and compromise additional systems within the network. Its ability to move laterally across connected systems transforms what might start as a minor infection into a widespread breach, all while establishing persistent backdoors that ensure the attackers can regain access whenever they need.

What Makes Prometei So Dangerous?

The botnet’s danger lies in its versatility and persistence. It leverages a variety of techniques to infiltrate systems and sustain its cryptomining operations, but two methods stand out:

  • Brute Force Attacks: Prometei aggressively targets weak Remote Desktop Protocol (RDP) and Server Message Block (SMB) configurations to gain entry. By systematically attempting various login credentials, it breaks into systems with insufficient protection, exploiting any chinks in the armor.
  • Exploiting Known Vulnerabilities: Prometei is adept at leveraging known security vulnerabilities, such as BlueKeep (CVE-2019-0708), a critical flaw in older versions of Windows that allows remote code execution. By exploiting unpatched systems, Prometei can infiltrate networks that haven’t applied the necessary updates, making these vulnerabilities a gateway for widespread infection.

But Prometei’s threat doesn’t stop at cryptomining or data theft. It’s persistent—the botnet is built to stick around, re-installing itself if partially removed, and staying hidden by using fileless malware techniques and encrypted communications through the Tor network. This makes it exceptionally hard to detect and remove, posing long-term risks to infected systems.

Key Characteristics:

  • Modular Design: Prometei can adapt its capabilities by adding new components, which makes it more difficult to neutralize as it continuously evolves.
  • Credential Theft and Lateral Movement: Once inside, Prometei doesn’t stay confined to one system. It can compromise other machines on the same network by using stolen credentials to escalate privileges.
  • Long-Term Persistence: Even if detected, Prometei employs various strategies to re-establish itself, making complete eradication a complex and time-consuming task.

In short, Prometei is much more than just a cryptominer—it’s a multifaceted threat that combines cryptomining, credential theft, network infiltration, and persistence, making it one of the more dangerous botnets targeting businesses today.

How the Prometei Botnet Operates: A Breakdown

The Prometei botnet is highly sophisticated, employing a multi-stage attack process designed to infiltrate, exploit, and persist within compromised systems. Understanding each stage is crucial for both prevention and remediation. Below is a more detailed breakdown of its operation:

1. Initial Entry via Brute Force Attacks

Prometei begins by aggressively targeting systems with weak Remote Desktop Protocol (RDP) or Server Message Block (SMB) configurations. It uses brute force attacks to guess login credentials, launching thousands of login attempts in a short period. In recent campaigns, Prometei has adapted to target Microsoft Exchange Server vulnerabilities, adding another entry point for infection.

  • Example of Vulnerability Exploitation: In a well-documented attack, Prometei exploited CVE-2021-26855 (a vulnerability in Exchange Servers) to gain entry through improperly secured systems.
  • Increasing Aggression: As organizations harden their defenses, Prometei adapts by increasing the frequency and intensity of its brute force attempts, using automated scripts that continuously attempt to breach even mid-tier security systems.

2. Modular Downloading and Installation

Once access is gained, Prometei executes PowerShell scripts to download additional components from its Command-and-Control (C&C) servers. These components are stored in compressed files like updates1.7z and updates2.7z, which are extracted using tools like 7z.exe. The modularity of the botnet allows it to update individual components without reinstalling the entire malware package, improving its resilience.

  • Key Payloads: Prometei typically installs a suite of tools designed for reconnaissance, lateral movement, and cryptomining. Some of the key files include sqhost.exe, libcrypto-1_1.dll, and miWalk64.exe.
  • Payload Delivery via PowerShell: By leveraging PowerShell, Prometei avoids detection by traditional security tools, which are often focused on executable files rather than script-based attacks. PowerShell also allows Prometei to execute commands directly in memory, a key aspect of fileless malware.

3. Credential Harvesting and Network Propagation

After gaining initial access, Prometei aggressively harvests credentials to further infiltrate the network. Tools like miWalk64.exe are deployed to scan for passwords, security tokens, and other sensitive information stored on the infected machine. These credentials are then used to access other systems within the network.

  • Lateral Movement: Once new credentials are obtained, Prometei moves laterally by compromising additional machines. It often targets domain controllers and other high-value assets, enabling it to quickly expand its reach within an organization.
  • Real-World Example: In one instance, Prometei used harvested credentials to compromise more than 500 systems in a corporate network over the course of several days, each time bypassing existing defenses with the stolen credentials.

4. Cryptomining and Maintaining Persistence

At its core, Prometei is designed for cryptomining—specifically to mine Monero (XMR). Once it establishes control, the botnet deploys a mining payload that hijacks CPU and GPU resources to mine cryptocurrency. What makes Prometei particularly dangerous is its persistence mechanisms.

  • Fileless Persistence: Prometei uses fileless techniques, executing scripts directly in memory to avoid being detected by antivirus software. Commands like powershell [io.file]::WriteAllText('C:\windows\7z.exe.b64') are used to maintain persistence by periodically reinstalling core components.
  • Autonomous Recovery: If a portion of the malware is detected and removed, Prometei automatically redownloads and reinstalls the missing components, ensuring uninterrupted cryptomining.

5. Stealth and Command-and-Control Communication

One of Prometei’s most sophisticated traits is its ability to stay hidden. The botnet communicates with its Command-and-Control (C&C) servers using the Tor network, which anonymizes its traffic and makes it extremely difficult to trace back to the source.

  • Encrypted Communication: All data sent to the C&C server is encrypted, making it nearly impossible to intercept or analyze without access to Prometei’s private keys.
  • Tor Integration: By leveraging Tor, Prometei ensures that its communication cannot be easily blocked or disrupted by network security measures that target typical HTTP or HTTPS traffic.

Prometei’s multi-stage attack process—beginning with brute force entry and ending with persistent cryptomining—makes it a highly dangerous and adaptable botnet. Its ability to leverage fileless techniques, encrypted communication, and autonomous recovery makes it a significant challenge for cybersecurity teams. Businesses need advanced detection systems, robust password policies, and ongoing monitoring to combat this evolving threat.

Flowchart showing the operational stages of the Prometei botnet, highlighting key steps such as brute force attacks, exploiting weak RDP/SMB configurations, PowerShell modular downloads, credential harvesting, cryptomining Monero via CPU/GPU, and persistence through fileless techniques. The flowchart includes color-coded nodes and labeled arrows depicting the progression of the botnet attack.
This flowchart visually illustrates the multi-stage attack process of the Prometei botnet, from initial entry via brute force attacks to advanced tactics like credential harvesting and fileless persistence. Each step highlights how Prometei infiltrates systems, spreads laterally, and sustains its cryptomining operations. Understanding these stages helps cybersecurity teams better defend against this evolving malware threat.

Why Prometei is a Persistent Threat

The Prometei botnet stands out for its adaptability, not only in how it mines cryptocurrency but also in how it consistently evolves its infiltration and persistence techniques. Over time, it has become a more aggressive, resilient, and stealthy adversary, making it a significant long-term threat to any organization it targets. Here are the key factors that contribute to Prometei’s persistence:

1. Dual Functionality: Cryptominer and Credential Harvester

Prometei isn’t just designed for cryptomining—it also doubles as a credential harvester. Once it compromises a system, the botnet collects sensitive information such as passwords, authentication tokens, and security certificates. This gives attackers the ability to establish long-term backdoors into compromised systems, allowing them to re-enter at will, escalate privileges, and access confidential data even after the initial infection appears to be removed.

  • Example of Threat Expansion: After harvesting credentials, Prometei can pivot to higher-value systems within an organization, such as domain controllers or database servers, escalating from cryptomining to full-blown corporate espionage or data exfiltration.

2. High Resilience: Self-Healing and Stealth

Prometei is engineered with self-healing capabilities, making it extremely difficult to remove from infected systems. Even if parts of the botnet are detected and removed by security solutions, it has mechanisms in place to automatically reinstall missing components. By leveraging PowerShell and batch scripts, it can continuously redeploy key components like 7z.exe or mshlpda32.dll without requiring additional attacker intervention.

  • Fileless Persistence: Prometei often executes in-memory using fileless malware techniques, reducing its footprint on the disk and making it harder to detect. Commands such as powershell [io.file]::WriteAllText('C:\windows\7z.exe.b64') are used to regenerate deleted files, allowing the botnet to persist even after partial cleanup.
  • Survival Example: In one documented case, even after multiple clean-up attempts, Prometei reinstalled itself through a hidden PowerShell script, successfully maintaining cryptomining operations.

3. Encrypted Communication: Tor Network Integration

One of Prometei’s key strengths is its ability to communicate with its Command-and-Control (C&C) servers through the Tor network, which provides anonymity and encrypted communication. This makes it incredibly difficult for traditional network security measures to track or block its communications.

  • Tor’s Obfuscation: Using Tor allows Prometei to hide its traffic in legitimate encrypted channels, blending in with other network traffic. This makes it difficult for security teams to identify and block Prometei’s communications without disrupting legitimate network services.
  • Encrypted Payloads: Even if intercepted, the data being transmitted between the botnet and its C&C servers is heavily encrypted, making it almost impossible to decipher without access to the encryption keys.

4. System Overload and Power Consumption

Prometei’s cryptomining operations are resource-intensive, draining significant amounts of CPU and GPU power. This leads to a number of performance-related issues:

  • System Overheating: Extended cryptomining activities cause systems to overheat, which in turn can lead to hardware failures and a shorter lifespan for physical components such as processors and cooling systems.
  • Business Disruption: Cryptomining severely degrades system performance, making everyday business tasks slow or even impossible to complete. The longer Prometei operates undetected, the more impact it has on an organization’s productivity.
  • Energy Consumption: On a larger scale, cryptomining dramatically increases energy usage. Some estimates suggest that a single infected system running a cryptominer can use 50-100% more electricity, leading to significant operational costs for large organizations.

Prometei’s adaptability, resilience, and ability to remain hidden make it a persistent and evolving threat. Its dual functionality as both a cryptominer and credential harvester, combined with encrypted communications via the Tor network, ensures it remains difficult to detect, block, and fully remove. Businesses need to be proactive, not only in detecting infections but in applying continuous monitoring and updated defense strategies to counter Prometei’s evolving tactics.

The Bigger Picture: Cryptomining and Its Economic Impact

Cryptomining botnets like Prometei are designed primarily to generate cryptocurrency, but their operations extend well beyond the theft of computing power. The cumulative effects of widespread cryptomining malware have significant economic and environmental implications that ripple across industries. Here’s a closer look at the broader impact:

1. Increased Energy Consumption

Cryptomining is an energy-intensive process, and even a single infected machine can cause a noticeable spike in electricity usage. While an individual device may only consume a modest amount of additional power, when scaled across large botnets compromising thousands or millions of devices, the total energy consumption becomes staggering.

  • Real-World Data: The global cryptocurrency mining industry, particularly for Bitcoin and Monero, is estimated to consume more than 120 terawatt-hours (TWh) per year, rivaling the annual energy consumption of entire countries like Argentina or the Netherlands. Infected systems contribute to this growing figure without the awareness of the organizations that own them.
  • Example: In one cryptomining incident, a hospital network saw a 30% increase in electricity usage over a six-month period before the infection was detected. The energy costs associated with cryptomining can reach tens of thousands of dollars per month, depending on the scale of the infection.

2. Environmental Impact

The increased energy consumption caused by cryptomining botnets doesn’t just inflate electricity bills—it also exacerbates the environmental crisis. Higher energy demands translate into higher carbon emissions, especially in regions where electricity is generated from fossil fuels like coal or natural gas.

  • Carbon Footprint: Cryptocurrency mining is responsible for an estimated 0.1% of global greenhouse gas emissions. When botnets like Prometei hijack millions of devices, they add to this environmental burden, making the fight against climate change even harder.
  • Climate Consequences: The energy demands of cryptomining, particularly from infected machines that operate 24/7, are indirectly contributing to environmental degradation. For example, in countries with coal-powered energy grids, cryptomining increases local carbon emissions, further accelerating global warming.

3. Indirect Business Costs

The financial toll of cryptomining malware extends beyond the immediate energy costs. Businesses affected by Prometei or similar botnets also face a range of indirect costs that can be just as damaging:

  • System Performance Degradation: Cryptomining consumes a significant portion of a device’s processing power. This results in slower performance, longer response times, and reduced efficiency for legitimate business operations. Infected devices can become unusable for critical tasks, causing disruptions in workflows.
  • Hardware Wear-and-Tear: Continuous cryptomining puts an enormous strain on hardware components such as CPUs and GPUs. Over time, this can lead to overheating, component failure, and costly repairs or replacements. In one case, a large enterprise had to replace over 200 servers that had suffered irreparable damage due to prolonged cryptomining operations.
  • Potential Data Breaches: Cryptomining botnets often double as credential harvesters or are used to deploy additional malware. This can lead to data breaches, intellectual property theft, and compliance violations, exposing organizations to legal liabilities and damaging their reputations. In 2021, an investigation into a cryptomining botnet revealed that it had also stolen sensitive customer data from a Fortune 500 company, resulting in millions of dollars in damages.

The impact of cryptomining botnets like Prometei extends far beyond stolen resources—it results in escalating energy costs, increased carbon emissions, and significant hardware and productivity losses. Organizations must recognize the full economic and environmental burden of these botnets and take proactive steps to detect and mitigate infections before they cause lasting damage.

Defense Strategies Against Prometei

Given the evolving and persistent nature of the Prometei botnet, defending against it requires a multilayered approach. Organizations need to adopt comprehensive security strategies that include proactive prevention, continuous monitoring, and rapid response. Below are the key steps businesses should implement to defend against this sophisticated threat:

1. Strengthen Authentication Protocols

Prometei often exploits weak Remote Desktop Protocol (RDP) and Server Message Block (SMB) configurations using brute force attacks. Strengthening your organization’s authentication methods is a crucial first line of defense:

  • Multi-Factor Authentication (MFA): Enforcing MFA ensures that even if a password is compromised, an additional layer of verification is required for access. This makes it significantly harder for attackers to gain unauthorized entry.
  • Password Management: Regularly update and enforce strong password policies for all critical systems. Using complex, unique passwords combined with MFA reduces the risk of brute force attacks. Implement password rotation policies for sensitive accounts, such as admin or privileged user accounts.
  • Example in Action: In 2021, a company significantly reduced its brute force attack surface by mandating MFA for all remote desktop users, resulting in a 90% drop in successful unauthorized access attempts.

2. Use Advanced Endpoint Detection and Response (EDR) Solutions

Prometei’s ability to move laterally across networks and remain persistent requires advanced detection mechanisms. Implementing Endpoint Detection and Response (EDR) solutions is crucial for identifying anomalous behaviors that may indicate a Prometei infection.

  • Visibility and Detection: EDR solutions like Trend Micro Vision One monitor endpoint activities in real-time, identifying abnormal patterns such as high CPU usage for cryptomining or unusual PowerShell executions indicative of fileless malware.
  • Behavioral Analysis: EDR tools use machine learning and behavioral analytics to detect suspicious activity, such as unauthorized lateral movements or unexpected communication with external servers.
  • Example in Action: In one Prometei incident, an organization using an EDR platform was able to detect unauthorized PowerShell commands, which led to the identification and isolation of the botnet before it could mine cryptocurrency on a large scale.

3. Patch Vulnerabilities

Prometei has been known to exploit vulnerabilities like BlueKeep (CVE-2019-0708), which affect unpatched Windows systems. Keeping all software and hardware up-to-date with the latest security patches is critical in preventing Prometei and similar botnets from exploiting known weaknesses.

  • Automated Patching: Implement automated patch management tools that prioritize and deploy patches, especially for critical vulnerabilities that are commonly exploited in the wild.
  • Example in Action: A prominent attack vector for Prometei is the exploitation of outdated Microsoft Exchange Servers. In 2021, businesses that patched the ProxyLogon vulnerabilities (CVE-2021-26855) were able to block Prometei’s entry before it could execute its cryptomining operations.

4. Monitor Network Traffic

Prometei communicates with its Command-and-Control (C&C) servers through the Tor network, which should immediately raise red flags in a corporate environment. Network traffic monitoring can help identify these unusual connections and prevent further damage.

  • Anomaly Detection: Use network intrusion detection systems (NIDS) or intrusion prevention systems (IPS) to monitor for suspicious outbound traffic, particularly connections to Tor nodes or non-standard ports.
  • Traffic Analysis: Regularly analyze outgoing traffic to detect connections to known malicious domains or suspicious IP addresses. Monitoring patterns of encrypted traffic over Tor is particularly effective at identifying hidden botnet communications.
  • Example in Action: In one case study, a cybersecurity team detected an unusual surge in encrypted outbound traffic to a Tor node, which led to the early identification and removal of a Prometei infection.

5. Isolate Infected Systems

When Prometei or any other botnet is detected, rapid isolation is crucial to prevent lateral movement within the network and minimize further damage. The botnet’s ability to spread across systems makes segmentation and isolation a key step in containment.

  • Immediate Containment: Use network segmentation and quarantine policies to isolate infected machines. This stops Prometei from spreading to additional endpoints and gaining further access to critical resources.
  • Clean-up and Restoration: After isolating infected devices, remove all traces of the botnet, including its cryptomining payloads, credential harvesting tools, and backdoors. Following removal, restore the systems from known-good backups to ensure no remnants of the malware persist.
  • Example in Action: A global company successfully contained a Prometei infection by isolating infected servers from the rest of the network, effectively stopping the botnet from compromising their domain controller.

Combating Prometei requires a comprehensive, layered defense strategy that incorporates strong authentication, real-time monitoring, prompt patching, and rapid isolation of infected systems. Organizations that adopt these best practices will be better equipped to prevent and mitigate the impact of this highly adaptive botnet.

New Insights: Reducing Cryptomining Incentives

Cryptomining malware like Prometei continues to thrive because it is financially lucrative for attackers. This leads to the question: Can we reduce the profitability of cryptomining malware to curb its spread? One approach might be through regulation and international cooperation to make it harder for attackers to profit from illicit cryptocurrency mining.

By working to cut off their revenue streams—whether through traceable blockchain transactions or by discouraging the use of anonymous cryptocurrencies—law enforcement could reduce the appeal of cryptomining botnets. While this would not eliminate the threat, it could make the economics of cybercrime less appealing for attackers, shifting their focus away from cryptomining and towards less profitable activities.

Conclusion: Vigilance is Key

As the Prometei botnet continues its operations, organizations need to remain vigilant, proactive, and adaptable in their cybersecurity strategies. Prometei represents a long-term, evolving threat, but by implementing robust defenses and continuously monitoring for signs of intrusion, businesses can mitigate its impact. More importantly, we should collectively explore ways to reduce the profitability of cryptomining malware, making it a less attractive option for cybercriminals in the future.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply