Friday, February 7, 2025
HomeVulnerabilityHackers Using Prometei Botnet to Exploiting Microsoft Exchange Vulnerabilities

Hackers Using Prometei Botnet to Exploiting Microsoft Exchange Vulnerabilities

Published on

SIEM as a Service

Follow Us on Google News

Researchers from Cybereason has recently announced the discovery of a new highly-targeted botnet campaign, which uses the stealth and omnipresent Prometei botnet to target companies around the world.

Threat actors are exploiting the recently published Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to penetrate random networks. This threat is causing major financial and data losses for businesses.

All these vulnerabilities can be connected together by any attackers to exploit these flaws to authenticate on the Exchange server to gain administrator rights, install malware, and steal data from the infected systems.

As in March, more than 10 hacking groups have attacked the vulnerable Microsoft Exchange servers by disposing of the miners, ransomware, and web shells on all the vulnerable servers.

But, Microsoft has already claimed that last month, nearly 92% of all the Exchange servers that are connected to the internet have already received the security patches.

The senior director and head of threat research at Cybereason, Assaf Dahan, said that “the Prometei botnet poses a great risk to the companies around the globe, as they have not been sufficiently informed about it. When attackers take control of the infected machines, they get the ability to steal not only cryptocurrencies but also sensitive information of the victims.”

Key Findings

  • Exploiting Microsoft Exchange Vulnerabilities
  • Wide range of Victims
  • Exploiting SMB and RDP Vulnerabilities
  • Cross-Platform Threat
  • Cybercrime with APT Flavor
  • Resilient C2 Infrastructure
  • Older than it Seems

This modular malware was initially detected by cybersecurity experts last year, and it’s capable of infecting the systems based on Windows and Linux.

Apart from these things, it also has previously used the EternalBlue exploit to spread across compromised networks and compromise all the vulnerable systems.

Security researchers at the Cybereason Nocturnus team have claimed that Prometei has been known to the cybersecurity community since 2016. And the botnet was recently updated, and the operators of it have made it learn how to exploit ProxyLogon vulnerabilities.

That’s why now Prometei botnet attacks Microsoft Exchange servers and then installs the payloads for mining cryptocurrency (Monero) on the infected machine.

After that, the botnet seeks to spread across the infected network by using the exploits like EternalBlue, BlueKeep, harvesting credentials, SMB & RDP exploits and other modules like SSH client and SQL spreader.

In case of any failure, the malware launches the following exploits, EternalBlue, with a forced rollback of SMB to vulnerable version 1 and BlueKeep.

Here the primary target of the threat actors is to install the cryptojacking malware or Monero miner to extract cryptocurrency like Monero.

The Prometei botnet generally exploits the vulnerabilities in Microsoft Exchange servers to gain initial network access and tries to infect as many as possible endpoints using a whole set of known attack methods to proceed indirectly across the network.

Moreover, the updated version of the malware has backdoor capabilities with support for an extensive set of commands that includes downloading and executing files, searching for files on compromised machines, and executing programs or commands on behalf of the threat actors.

File names used

  • C:\dell\searchindexer.exe
  • C:\dell\desktop.dat
  • C:\Windows\svchost.exe

Breakdown of Mitre ATT&CK

The cybersecurity analysts have also noted and claimed that the operators of the Prometei botnet want long-term persistence in the compromised network, using methods linked to advanced  APT groups and government hacking groups.

Apart from these, the security researchers believe that the Prometei botnet is still looking for new targets, and here the best way to avoid being a victim of this botnet is to apply all the security updates released by Microsoft for its vulnerable Exchange Server.

While now, if we talk about the crypto-miner, then we all know that it’s really a resource-consuming means that adversely affects the network stability and performance, which in turn affects the business continuity.

So, the affected organizations should first try to get one good process for managing code and patch all the vulnerable systems. But, here, the security and IT teams play the key role in preventing such incidents, as they constantly pursue all the known threats and report them to the organization to mitigate.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Dell Update Manager Plugin Flaw Exposes Sensitive Data

Dell Technologies has issued a security advisory (DSA-2025-047) to address a vulnerability in the Dell Update...

DeepSeek iOS App Leaks Data to ByteDance Servers Without Encryption

DeepSeek iOS app—a highly popular AI assistant recently crowned as the top iOS app...

Critical Flaws in HPE Aruba ClearPass Expose Systems to Arbitrary Code Execution

Hewlett Packard Enterprise (HPE) has issued a high-priority security bulletin addressing multiple vulnerabilities in...

Splunk Introduces “DECEIVE” an AI-Powered Honeypot to Track Cyber Threats

Splunk has unveiled DECEIVE (DECeption with Evaluative Integrated Validation Engine), an innovative, AI-augmented honeypot that mimics...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Dell Update Manager Plugin Flaw Exposes Sensitive Data

Dell Technologies has issued a security advisory (DSA-2025-047) to address a vulnerability in the Dell Update...

Critical Flaws in HPE Aruba ClearPass Expose Systems to Arbitrary Code Execution

Hewlett Packard Enterprise (HPE) has issued a high-priority security bulletin addressing multiple vulnerabilities in...

XE Hacker Group Exploiting Veracode 0-Day’s to Deploy Malware & Steal Credit Card Details

The XE Group, a sophisticated Vietnamese-origin cybercrime organization active since 2013, has escalated its...