Prometei Botnet Engages in Complex Attacks on Windows Servers
The Prometei botnet, linked to Russian cybercriminals, has been actively targeting Windows Server systems since its emergence in 2016. This sophisticated malware is known for its ability to mine cryptocurrency, steal credentials, and maintain long-term remote access to compromised networks.
Exploiting weak or default Remote Desktop Protocol (RDP) passwords, attackers gain entry to systems and deploy Prometei through a two-stage process utilizing Command Prompt and PowerShell. The malware writes a crucial XOR key file, mshlpda32.dll, to decrypt and execute its main payload.
Technical Sophistication and Encryption Techniques
Prometei’s advanced capabilities are evident in its use of multiple encryption layers, including RC4, LZNT1, and RSA-1024, which complicate detection and analysis. The malware gathers comprehensive system data, such as computer names, hardware details, and running processes, by employing legitimate Windows tools like wmic.exe.
For communication, the botnet leverages both clear web and TOR network channels to ensure privacy. It uses a rolling XOR key-based cipher for decryption, applying unique transformations to each byte. This complex encryption strategy poses challenges for cybersecurity defenses.
Expanding Capabilities and Maintaining Control
Prometei extends its impact through additional modules. For instance, netdefender.exe monitors failed login attempts and enforces firewall rules to block rival attackers, showcasing its ‘jealous tenant’ behavior. It also employs Mimikatz variants for credential harvesting and uses rdpcIip.exe for lateral movements across networks.
To enhance anonymity, Prometei includes TOR proxy modules that enable anonymous traffic routing. The botnet’s modular design allows it to evolve continuously, updating components independently to adapt to security measures.
Defensive Measures and Detection Strategies
Security researchers have developed YARA rules and Python utilities to identify Prometei infections. Organizations are advised to enforce strong password policies, implement multi-factor authentication, and monitor RDP services for suspicious activities to thwart attacks.
Endpoint Detection and Response (EDR) solutions prove vital in recognizing the intricate process chains and registry alterations typical of Prometei infections. Additionally, network monitoring should prioritize unusual outbound connections, particularly those linked to C2 infrastructures and TOR exit nodes.
As Prometei continues to evolve, staying informed and implementing robust cybersecurity measures remain crucial in protecting Windows Server environments against this formidable threat.
