Hackers Using Prometei Botnet to Exploiting Microsoft Exchange Vulnerabilities

Researchers from Cybereason has recently announced the discovery of a new highly-targeted botnet campaign, which uses the stealth and omnipresent Prometei botnet to target companies around the world.

Threat actors are exploiting the recently published Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to penetrate random networks. This threat is causing major financial and data losses for businesses.

All these vulnerabilities can be connected together by any attackers to exploit these flaws to authenticate on the Exchange server to gain administrator rights, install malware, and steal data from the infected systems.

As in March, more than 10 hacking groups have attacked the vulnerable Microsoft Exchange servers by disposing of the miners, ransomware, and web shells on all the vulnerable servers.

But, Microsoft has already claimed that last month, nearly 92% of all the Exchange servers that are connected to the internet have already received the security patches.

The senior director and head of threat research at Cybereason, Assaf Dahan, said that “the Prometei botnet poses a great risk to the companies around the globe, as they have not been sufficiently informed about it. When attackers take control of the infected machines, they get the ability to steal not only cryptocurrencies but also sensitive information of the victims.”

Key Findings

• Exploiting Microsoft Exchange Vulnerabilities
• Wide range of Victims
• Exploiting SMB and RDP Vulnerabilities
• Cross-Platform Threat
• Cybercrime with APT Flavor
• Resilient C2 Infrastructure
• Older than it Seems

This modular malware was initially detected by cybersecurity experts last year, and it’s capable of infecting the systems based on Windows and Linux.

Apart from these things, it also has previously used the EternalBlue exploit to spread across compromised networks and compromise all the vulnerable systems.

Security researchers at the Cybereason Nocturnus team have claimed that Prometei has been known to the cybersecurity community since 2016. And the botnet was recently updated, and the operators of it have made it learn how to exploit ProxyLogon vulnerabilities.

That’s why now Prometei botnet attacks Microsoft Exchange servers and then installs the payloads for mining cryptocurrency (Monero) on the infected machine.

After that, the botnet seeks to spread across the infected network by using the exploits like EternalBlue, BlueKeep, harvesting credentials, SMB & RDP exploits and other modules like SSH client and SQL spreader.

In case of any failure, the malware launches the following exploits, EternalBlue, with a forced rollback of SMB to vulnerable version 1 and BlueKeep.

Here the primary target of the threat actors is to install the cryptojacking malware or Monero miner to extract cryptocurrency like Monero.

The Prometei botnet generally exploits the vulnerabilities in Microsoft Exchange servers to gain initial network access and tries to infect as many as possible endpoints using a whole set of known attack methods to proceed indirectly across the network.

Moreover, the updated version of the malware has backdoor capabilities with support for an extensive set of commands that includes downloading and executing files, searching for files on compromised machines, and executing programs or commands on behalf of the threat actors.

File names used

• C:\dell\searchindexer.exe
• C:\dell\desktop.dat
• C:\Windows\svchost.exe

Breakdown of Mitre ATT&CK

The cybersecurity analysts have also noted and claimed that the operators of the Prometei botnet want long-term persistence in the compromised network, using methods linked to advanced  APT groups and government hacking groups.

Apart from these, the security researchers believe that the Prometei botnet is still looking for new targets, and here the best way to avoid being a victim of this botnet is to apply all the security updates released by Microsoft for its vulnerable Exchange Server.

While now, if we talk about the crypto-miner, then we all know that it’s really a resource-consuming means that adversely affects the network stability and performance, which in turn affects the business continuity.

So, the affected organizations should first try to get one good process for managing code and patch all the vulnerable systems. But, here, the security and IT teams play the key role in preventing such incidents, as they constantly pursue all the known threats and report them to the organization to mitigate.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.