Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Botnet. Show all posts
Palo Alto Networks
Botnet Botnet attack cryptocurrency mining Cyber Attacks Evasion Tactics Linux Linux Malware Linux Security Linux Servers Malware attacks Palo Alto Palo Alto Networks

Palo Alto Detects New Prometei Botnet Attacks Targeting Linux Servers

Cybersecurity analysts from Palo Alto Networks’ Unit 42 have reported a resurgence of the Prometei botnet, now actively targeting Linux systems with new, upgraded variants as of March 2025. Originally discovered in 2020 when it was aimed at Windows machines, Prometei has since expanded its reach. 

Its Linux-based malware strain has been in circulation since late 2020, but recent versions—designated as 3.x and 4.x—demonstrate significant upgrades in their attack capabilities. The latest Prometei malware samples are equipped with remote control functionality, domain generation algorithms (DGA) to ensure connection with attacker-controlled servers, and self-updating systems that help them remain undetected. This renewed activity highlights the botnet’s growing sophistication and persistent threat across global networks. 

At its core, Prometei is designed to secretly mine Monero cryptocurrency, draining the resources of infected devices. However, it also engages in credential harvesting and can download additional malicious software depending on the attacker’s goals. Its modular framework allows individual components to carry out specific tasks, including brute-force attacks, vulnerability exploitation (such as EternalBlue and SMB bugs), mining operations, and data exfiltration. 

The malware is typically delivered via HTTP GET requests from rogue URLs like hxxp://103.41.204[.]104/k.php. Prometei uses 64-bit Linux ELF binaries that extract and execute payloads directly in memory. These binaries also carry embedded configuration data in a JSON format, containing fields such as encryption keys and tracking identifiers, making them harder to analyze and block. 

Once a system is compromised, the malware collects extensive hardware and software information—CPU details, OS version, system uptime—and sends this back to its command-and-control (C2) servers, including addresses like hxxp://152.36.128[.]18/cgi-bin/p.cgi. Thanks to DGA and self-update features, Prometei ensures consistent communication with attacker infrastructure and adapts to security responses on the fly.  

To defend against these threats, Palo Alto Networks advises using advanced detection tools such as Cortex XDR, WildFire, and their Advanced Threat Prevention platform. These technologies utilize real-time analytics and machine learning to identify and contain threats. Organizations facing a breach can also contact Palo Alto’s Unit 42 incident response team for expert help. 

The activity observed from March to April 2025 underlines the continued evolution of the Prometei botnet and the growing risk it poses to businesses relying on Linux environments. Strengthening cybersecurity protocols and remaining alert to new threats is essential in today’s threat landscape.
Read more »
Vulnerabilities and Exploits
ASUS Routers Botnet GreyNoise Malicious Campaign Vulnerabilities and Exploits

Thousands of ASUS Routers Affected by Stealthy Persistent Backdoor

 

It seems like someone, possibly nation-state hackers, is building a botnet out of thousands of Asus routers that can withstand firmware patches and reboots. Researchers report that about 9,000 routers have been infiltrated, and the figure is still rising. 

GreyNoise, a security firm, warned on Tuesday that attackers utilise a combination of known and previously undisclosed vulnerabilities to attack routers, including a command injection vulnerability identified as CVE-2023-39780. The tradecraft involved implies "a well-resourced and highly capable adversary," maybe building an operable relay box. 

ORBs are a strategy used by advanced persistent threat groups, including intelligence agencies around the world, to conceal malicious behaviour by routing internet traffic through a network of compromised Internet of Things devices. One cybersecurity firm characterises them as the offspring of a VPN and a botnet.

GreyNoise discovered the effort on March 18 and named the technique employed to backdoor the routers "AyySSHush." The intrusion chain starts with brute-force login attempts and two authentication bypass methods with no corresponding CVEs. After gaining access, attackers use CVE-2023-39780 to activate a security mechanism included into Asus routers by TrendMicro. 

The functionality enables "Bandwidth SQLlite Logging," which lets perpetrators feed a string directly into a system() call. With that power, attackers can enable a secure shell and connect it to a TCP port, along with an attacker-controlled public key. That is the step that renders firmware updates ineffective against the hack. 

"Because this key was introduced using official ASUS features, the configuration change is retained across firmware upgrades. "If you've been exploited before, upgrading your firmware will NOT remove the SSH backdoor," Remacle warned. As of publication, Censys' search had identified 8,645 infected routers. 

ASUS addressed CVE-2023-39780 in recent firmware upgrades. However, machines compromised prior to patching may still contain the backdoor unless administrators verify SSH setups and remove the attacker's key from them. For potential compromises, GreyNoise recommends performing a full factory reset.
Read more »
Proxy
Botnet Brute Force Attacks Cyber Attacks IoT Proxy

2.8 million IP Addresses Being Leveraged in Brute Force Assault On VPNs

 

Almost 2.8 million IP addresses are being used in a massive brute force password attack that aims to guess the login credentials for a variety of networking devices, including those generated by Palo Alto Networks, Ivanti, and SonicWall.

A brute force assault occurs when an attacker attempts to repeatedly log into an account or device with many usernames and passwords until the correct combination is found. Once the malicious actors access the right credentials, they can use them to access a network or take control of a device.

The Shadowserver Foundation, a threat monitoring platform, reports that a brute force attack has been going on since last month, using around 2.8 million source IP addresses every day to carry out these attacks. Brazil accounts for the majority of them (1.1 million), with Turkey, Russia, Argentina, Morocco, and Mexico following closely behind. However, a very big range of countries of origin generally participate in the activity.

These are edge security equipment, such as firewalls, VPNs, gateways, and other security appliances, which are frequently exposed to the internet to allow remote access. The devices used in these attacks are predominantly MikroTik, Huawei, Cisco, Boa, and ZTE routers and IoTs, which are frequently hacked by big malware botnets. 

The Shadowserver Foundation stated to the local media outlet that the activity has persisted for some time but has recently escalated significantly. ShadowServer also indicated that the attacking IP addresses are distributed across various networks and Autonomous Systems, suggesting the involvement of a botnet or an operation linked to residential proxy networks. 

Residential proxies are IP addresses allocated to individual customers of Internet Service Providers (ISPs), rendering them highly desirable for cybercrime, data scraping, circumvention of geo-restrictions, ad verification, and ticket scalping, among other uses. 

These proxies redirect internet traffic over residential networks, giving the impression that the user is a typical home user rather than a bot, data scraper, or hacker. Gateway devices targeted by this activity may be utilised as proxy exit nodes in residential proxying operations, passing malicious traffic through an organization's enterprise network. These nodes are rated "high-quality" because the organisations have a good reputation and the assaults are more challenging to identify and stop. 

Changing the default admin password to a strong and distinct one, implementing multi-factor authentication (MFA), employing an allowlist of trustworthy IPs, and turning down web admin interfaces when not in use are some ways to defend edge devices against brute-forcing assaults. In the end, patching those devices with the most latest firmware and security upgrades is essential to eliminating flaws that threat actors could use to gain initial access.
Read more »
Vulnerabilities and Exploits
Botnet Cyberattacks CyberCrime Cybersecurity CyberThreat Cyberthreats DDOS Attacks IoT Vulnerabilities and Exploits

Understanding and Preventing Botnet Attacks: A Comprehensive Guide

 


Botnet attacks exploit a command-and-control model, enabling hackers to control infected devices, often referred to as "zombie bots," remotely. The strength of such an attack depends on the number of devices compromised by the hacker’s malware, making botnets a potent tool for large-scale cyberattacks.

Any device connected to the internet is at risk of becoming part of a botnet, especially if it lacks regular antivirus updates. According to CSO Online, botnets represent one of the most significant and rapidly growing cybersecurity threats. In the first half of 2022 alone, researchers detected 67 million botnet connections originating from over 600,000 unique IP addresses.

Botnet attacks typically involve compromising everyday devices like smartphones, smart thermostats, and webcams, giving attackers access to thousands of devices without the owners' knowledge. Once compromised, these devices can be used to launch spam campaigns, steal sensitive data, or execute Distributed Denial of Service (DDoS) attacks. The infamous Mirai botnet attack in October 2016 demonstrated the devastating potential of botnets, temporarily taking down major websites such as Twitter, CNN, Reddit, and Netflix by exploiting vulnerabilities in IoT devices.

The Lifecycle of a Botnet

Botnets are created through a structured process that typically involves five key steps:

  1. Infection: Malware spreads through phishing emails, infected downloads, or exploiting software vulnerabilities.
  2. Connection: Compromised devices connect to a command-and-control (C&C) server, allowing the botmaster to issue instructions.
  3. Assignment: Bots are tasked with specific activities like sending spam or launching DDoS attacks.
  4. Execution: Bots operate collectively to maximize the impact of their tasks.
  5. Reporting: Bots send updates back to the C&C server about their activities and outcomes.

These steps allow cybercriminals to exploit botnets for coordinated and anonymous attacks, making them a significant threat to individuals and organizations alike.

Signs of a Compromised Device

Recognizing a compromised device is crucial. Look out for the following warning signs:

  • Lagging or overheating when the device is not in use.
  • Unexpected spikes in internet usage.
  • Unfamiliar or abnormal software behavior.

If you suspect an infection, run a malware scan immediately and consider resetting the device to factory settings for a fresh start.

How to Protect Against Botnet Attacks

Safeguarding against botnets doesn’t require extensive technical expertise. Here are practical measures to enhance your cybersecurity:

Secure Your Home Network

  • Set strong, unique passwords and change default router settings after installation.
  • Enable WPA3 encryption and hide your network’s SSID.

Protect IoT Devices

  • Choose products from companies that offer regular security updates.
  • Disable unnecessary features like remote access and replace default passwords.

Account Security

  • Create strong passwords using a password manager to manage credentials securely.
  • Enable multi-factor authentication (MFA) for an added layer of security.

Stay Updated

  • Keep all software and firmware updated to patch vulnerabilities.
  • Enable automatic updates whenever possible.

Be Wary of Phishing

  • Verify communications directly with the source before providing sensitive information.
  • Avoid clicking on links or downloading attachments from untrusted sources.

Use Antivirus Software

  • Install reputable antivirus programs like Norton, McAfee, or free options like Avast.

Turn Off Devices When Not in Use

  • Disconnect smart devices like TVs, printers, and home assistants to minimize risks.

Organizations can mitigate botnet risks by deploying advanced endpoint protection, strengthening corporate cybersecurity systems, and staying vigilant against evolving threats. Implementing robust security measures ensures that businesses remain resilient against increasingly sophisticated botnet-driven cyberattacks.

Botnet attacks pose a serious threat to both individual and organizational cybersecurity. By adopting proactive and practical measures, users can significantly reduce the risk of becoming victims and contribute to a safer digital environment.

Read more »
XorBot
Botnet CyberCrime Cyberhackers Cybersecurity CyberThreat IoT Technology XorBot

XorBot Evolves with Advanced Evasion Strategies, Targets IoT

 


A resurgence of the XorBot botnet was detected by NSFOCUS, which has been identified as a powerful threat to Internet of Things (IoT) devices across the world. XorBot was first discovered in late 2023; since then, it has evolved significantly, gaining advanced anti-detection mechanisms as well as a wider array of exploits and methods from which to sneak past detection. 

Cybersecurity defenders are now faced with a new challenge, especially in light of the latest version, version 1.04. The XorBot has consistently proven its ability to adapt and evade detection since it was first introduced in 2009. "XorBot is unequivocally one of the biggest threats to the security of the Internet of Things (IoT)," NSFOCUS reports. 

It targets devices such as Intelbras cameras and routers from TP-Link and D-Link, as well as a variety of other internet-connected devices. There are currently up to 12 exploit methods available in the botnet, and it has evolved to control a significant number of devices over the years. XorBot is particularly known for propagating its infection by exploiting vulnerabilities in IoT devices to spread. It has been confirmed by Thawte that one of the threat actor groups Matrix, has been linked to a widespread distributed denial-of-service (DDoS) campaign which exploits devices which are connected to the Internet of Things (IoT) due to vulnerabilities or misconfiguration. 

The devices involved in this operation, including IP cameras, routers and telecom equipment, have been co-opted into a botnet for purposes of launching disruptive attacks against a network. It appears that the campaign is primarily targeting IP addresses related to China and Japan, with a lesser degree of activity present in other regions including Argentina, Brazil, and the United States. Interestingly, Ukraine has not been targeted. This suggests that the campaign is being launched for financial reasons, not for political reasons. 

As part of the matrix attack, Matrix exploits known vulnerabilities in internet-connected devices by making use of publicly available tools and scripts, including those found on platforms such as GitHub. A variety of internet-connected devices, such as IP cameras, DVRs, routers, and telecommunication equipment, are vulnerable to attacks via attack chains using known security flaws and default or weak credentials, allowing adversaries to access a wide variety of internet-connected devices. 

Besides misconfigured Telnet, SSH, and Hadoop servers, it has also been observed that this threat actor is targeting IP addresses that belong to cloud service provider (CSP) IP address ranges such as Amazon Web Services (AWS) and Microsoft Azure, as well as Google Cloud Platform and rival cloud services just to name a few. As part of the malicious activity, a large number of publicly available scripts and tools are used, which is ultimately used to deploy the Mirai botnet malware and other DDoS-related programs on compromised devices and servers, as well. 

PYbot, Pynet, DiscordGo, Homo Network, and a JavaScript program that implements a flood attack using HTTP/HTTPS, as well as a tool that enables the disabling of Microsoft Defender Antivirus running on Windows machines are all included in the toolkit. Moreover, this botnet monopolizes resources in infected devices, leading to the /tmp directory being set as a read-only directory, making it impossible for any other malware to compromise the same device. 

The operators of XorBot have taken a new focus on profitability. They openly advertise distributed denial of service (DDoS) attacks as a service, advertising themselves as the Masjesu Botnet, an alias for XorBot. According to NSFOCUS, Telegram has become a central platform for recruiting customers and promoting services, as well as providing an excellent foundation for further botnet growth and expansion. This botnet, whose activity is aimed at evading detection by using advanced evasion techniques, poses a significant threat to cybersecurity efforts, as it utilizes advanced evasion techniques. 

As part of the anti-tracking design, it uses passive online methods to connect with control servers without sending identifiers such as IP addresses, thereby preventing an automated tracking system from being set up, such as how it will wait for instructions and respond with random data to obscure the tracking attempt. In addition to that, this attack uses "code obfuscation" to further impede detection through the embedding of redundant code and the concealment of its signatures, preventing static analysis from being performed. 

In addition, XorBot implements a unique communication mechanism that minimizes its visibility over the network, thus making it more stealthy. It is evident from these sophisticated tactics that the botnet has evolved rapidly and that it faces a growing number of threats that are related to the Internet of Things. The NSFOCUS report estimates that botnet operators invest heavily in anti-detection and anti-tracking techniques, making it significantly more difficult for defence mechanisms to counter.
Read more »
Volt Typhoon
Botnet CyberCrime Cybersecurity CyberThreat FBI IP Address malware Technology Volt Typhoon

Volt Typhoon rebuilds malware botnet following FBI disruption

 


There has recently been a rise in the botnet activity created by the Chinese threat group Volt Typhoon, which leverages similar techniques and infrastructure as those previously created by the group. SecurityScorecard reports that the botnet has recently made a comeback and is now active again. It was only in May of 2023 that Microsoft discovered that the Volt Typhoon was stealing data from critical infrastructure organizations in Guam, which it linked to the Chinese government. This knowledge came as a result of a spy observing the threat actor stealing data from critical infrastructure organizations on US territory. 

Several Cisco and Netgear routers have been compromised by Chinese state-backed cyber espionage operation Volt Typhoon since September, to rebuild its KV-Botnet malware, which had previously been disrupted by the FBI and was unsuccessfully revived in January, reports said. A report by Lumen Technologies' Black Lotus Labs released in December 2023 revealed that outdated devices mostly powered Volt Typhoon's botnet from Cisco, Netgear, and Fortinet. 

The botnet was used to transfer covert data and communicate over unsecured networks. The US government recently announced that the Volt Typhoon botnet had been neutralized and would cease to operate. Leveraging the botnet's C&C mechanisms, the FBI remotely removed the malware from the routers and changed the router's IP address to a port that is not accessible to the botnet. 

Earlier this month, in response to a law enforcement operation aimed at disrupting the KV-Botnet malware botnet, Volt Typhoon, which is widely believed to be sponsored by the Chinese state, has begun to rebuild its malware botnet after law enforcement officials disrupted it in January. Among other networks around the world, Volt Typhoon is considered one of the most important cyberespionage threat groups and is believed to have infiltrated critical U.S. infrastructure at least for the past five years. 

To accomplish their objectives, they hack into SOHO routers and networking devices, such as Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras, and install proprietary malware that establishes covert communication channels and proxies, as well as maintain persistent access to targeted networks through persistent access. 

Volt Typhoon was a malicious botnet created by a large collection of Cisco and Netgear routers that were older than five years, and, therefore, were not receiving security updates as they were near the end of their life cycle as a result of having reached end-of-life (EOL) status. This attack was initiated by infecting devices with the KV Botnet malware and using them to hide the origin of follow-up attacks targeting critical national infrastructure (CNI) operations located in the US and abroad. 

There has been no significant change in Volt Typhoon's activity in the nine months since SecurityScorecard said they observed signs of it returning, which makes it seem that it is not only present again but also "more sophisticated and determined". Strike team members at SecurityScorecard have been poring over millions of data points collected from the organization's wider risk management infrastructure as part of its investigation into the debacle and have come to the conclusion that the organization is now adapting and digging in in a new way after licking its wounds in the wake of the attack. 

In their findings, the Strike Team highlighted the growing danger that the Volt Typhoon poses to the environment. To combat the spread of the botnet and its deepening tactics, governments and corporations are urgently needed to address weaknesses in legacy systems, public cloud infrastructures, and third-party networks, says Ryan Sherstobitoff, the senior vice president of SecurityScorecard's threat research and intelligence. "Volt Typhoon is not only a botnet that has resilience, but it also serves as a warning computer virus. 

In the absence of decisive action, this silent threat could trigger a critical infrastructure crisis driven by unresolved vulnerabilities, leading to a critical infrastructure disaster." It has been observed that Volt Typhoon has recently set up new command servers to evade the authorities through the use of hosting services such as Digital Ocean, Quadranet, and Vultr. Afresh SSL certificates have also been registered to evade the authorities as well. 

The group has escalated its attacks by exploiting legacy Cisco RV320/325 and Netgear ProSafe router vulnerabilities. According to Sherstobitoff, even in the short period that it took for the operation to be carried out, 30 per cent of the visible Cisco RV320/325 network equipment around the world was compromised. According to SecurityScorecard, which has been monitoring this matter for BleepingComputer, the reason behind this choice is likely to be based on geographical factors by the threat actors.

It would seem that the Volt Typhoon botnet will return to global operations soon; although the size of the botnet is nowhere near its previous size, it is unlikely that China's hackers will give up on their mission to eradicate the botnet. As a preventative measure, older routers should be replaced with more current models and placed behind firewalls. Remote access to admin panels should not be made open to the internet, and passwords for admin accounts should be changed to ensure that this threat is not created. 

To prevent exploitation of known vulnerabilities, it is highly recommended that you use SOHO routers that are not too old to install the latest firmware when it becomes available. Among the areas in which the security firm has found similarities between the previous Volt Typhoon campaigns and the new version of the botnet are its fundamental infrastructure and techniques. A vulnerability in the VPN of a remote access point located on the small Pacific island of New Caledonia was found by SecurityScorecard's analysis. As the network was previously shut down, researchers observed it being used once again to route traffic between the regions of Asia-Pacific and America, although the system had been taken down previously. 
Read more »
phishing
Botnet Cyber Attacks Cyber Threats DDoS phishing

Cybersecurity Beyond Phishing: Six Underrated Threats


Cybercriminals are continually developing new methods to exploit vulnerabilities, and even the most tech-savvy individuals and organizations can find themselves at risk. While some cyberattacks like phishing and malware are well-known, several lesser-known but equally dangerous threats require attention. This blog post explores six types of cyberattacks you might not have considered but should be on your radar.

1. Botnet Attacks

A botnet attack involves a network of compromised computers, or "bots," which are controlled by a single entity, often referred to as a "botmaster." These botnets can be used to launch large-scale cyberattacks such as Distributed Denial-of-Service (DDoS) attacks, which overwhelm a target’s resources, rendering it inaccessible. 

In 2016, hackers used the Mirai botnet to take control of millions of devices and launched a huge DDoS attack on Dyn, a major domain name server provider.

Some hackers also take over IoT devices to "brick" them, which means they damage the device’s firmware so it becomes useless. They do this for fun or to teach people about cybersecurity.

2. LLMjacking

As language models become integral in various applications, they present new cyberattack vectors. LLMjacking, or Large Language Model hijacking, involves manipulating language models to generate harmful or misleading information. 

Attackers can exploit vulnerabilities in these models to spread misinformation, influence public opinion, or even automate phishing attacks. The rise of AI-powered tools necessitates the implementation of stringent security measures to safeguard against such manipulations.

Companies that utilize cloud-hosted Large Language Models (LLMs) are at risk of LLM jacking because they possess the necessary server resources to operate generative AI programs. Hackers might exploit these resources for personal purposes, such as creating their own images, or for more malicious activities like generating harmful code, contaminating the models, or stealing sensitive information.

While an individual hijacking a cloud-based LLM for personal use might not cause significant damage, the costs associated with resource usage can be substantial. A severe attack could result in charges ranging from $50,000 to $100,000 per day for the owner.

3. Ransomware

Unlike traditional malware that aims to steal information, ransomware directly extorts victims. Attackers encrypt valuable data and demand payment, often in cryptocurrency, for the decryption key. Organizations of all sizes are potential targets, and the financial and reputational damage can be severe. Preventative measures, including regular data backups and cybersecurity training, are crucial in mitigating the risks of ransomware attacks.

4. Insider Threats

An insider threat comes from within the organization, typically from employees, contractors, or business partners who have inside information concerning the organization’s security practices. These threats can be malicious or unintentional but are dangerous due to the privileged access insiders have. 

They may misuse their access to steal sensitive information, disrupt operations, or introduce vulnerabilities. Organizations need to implement strict access controls, regular monitoring, and education to reduce the risk of insider threats.

5. Man-in-the-Middle (MitM) Attacks

Man-in-the-middle attacks occur when an attacker intercepts communication between two parties without their knowledge. The attacker can then eavesdrop, manipulate, or steal sensitive information being exchanged. 

MitM attacks are particularly concerning for financial transactions and other confidential communications. Encrypted communication channels, strong authentication methods, and educating users about potential risks are effective strategies to prevent such attacks.

6. Phishing Schemes

Phishing remains one of the most prevalent cyber threats, evolving in sophistication and technique. Attackers use deceptive emails, messages, or websites to trick individuals into divulging personal information such as usernames, passwords, and credit card details. 

Spear phishing, a targeted form of phishing, involves personalized attacks on specific individuals or organizations, making them harder to detect. Continuous cybersecurity awareness training and employing advanced email filtering solutions can help protect against phishing schemes.

Read more »
SMB
BlueKeep Botnet Botnet attack CVSS 4.0 Cyber Security Information Security RDP SMB

Prometei Botnet: The Persistent Threat Targeting Global Systems

 

The Prometei botnet, active since at least 2016, continues to pose a persistent threat worldwide by exploiting unpatched software vulnerabilities. First identified in 2020, Prometei has since infected over 10,000 systems across diverse regions, including Brazil, Indonesia, Turkey, and Germany. Its resilience stems from its focus on widely used software gaps, particularly in systems with weak configurations, unmonitored security measures, or outdated patches. The Federal Office for Information Security in Germany has labeled it a medium-impact threat, given its extensive reach and ability to bypass security protocols. Prometei operates by exploiting vulnerabilities in widely used software, spreading particularly through unpatched or poorly configured Exchange servers. 

Critical Start’s Callie Guenther highlights Prometei’s strategy of leveraging regions with inadequate cybersecurity, making it highly effective in targeting various systems regardless of location. One notable aspect is its ability to spread through legacy vulnerabilities, such as the BlueKeep flaw in Remote Desktop Protocol (RDP), which has a critical CVSS score of 9.8. By targeting these known issues, Prometei can quickly access poorly maintained systems that remain unprotected. A Prometei attack often starts with a series of network login attempts, typically originating from locations associated with known botnet infrastructure. Once access is secured, the malware tests various system weaknesses, particularly outdated vulnerabilities like BlueKeep and EternalBlue. If successful, it can propagate through Server Message Block (SMB) systems or use ProxyLogon flaws to exploit Windows environments further. 

Prometei’s use of outdated exploits could be seen as less sophisticated; however, its approach is strategic, focusing on identifying vulnerable, under-maintained systems rather than tackling those with robust security protocols. Once established in a target system, Prometei employs several techniques to maintain control and evade detection. For example, it uses a domain generation algorithm (DGA) to enhance its command-and-control (C2) system, allowing continuous operation even if some domains are blocked. It further manipulates firewall settings to ensure its traffic is not obstructed, enabling it to persist even after system reboots. Among its advanced methods is the use of the WDigest protocol, which stores plaintext passwords in memory. 

Prometei forces systems to store passwords in plaintext, then exfiltrates them while bypassing detection by configuring Windows Defender to ignore specific files. The primary goal of Prometei appears to be cryptojacking, as it harnesses infected systems to mine the Monero cryptocurrency without the owners’ knowledge. Additionally, it installs an Apache web server as a web shell, creating a backdoor for attackers to upload more malicious files or execute commands. Prometei’s presence, according to Trend Micro’s Stephen Hilt, often signals deeper security concerns, as it can coexist with other malicious software, highlighting vulnerabilities that attackers may leverage for various purposes. Interestingly, Prometei avoids certain regions, specifically targeting systems outside former Soviet countries. Its command-and-control servers bypass exit nodes within these nations, avoiding accounts tagged as “Guest” or “Other user” in Russian.

Older versions of Prometei also included Russian-language settings, hinting at a potential connection to Russian-speaking developers. The botnet’s name, “Prometei,” references the Greek titan Prometheus, symbolizing a persistence that echoes the botnet’s own sustained presence in global cyber threats. Prometei exemplifies the persistent and evolving nature of modern botnets. Its success in exploiting well-known but unpatched vulnerabilities underscores the importance of maintaining updated security systems. For organizations worldwide, especially those with legacy systems or lax monitoring, Prometei serves as a critical reminder to reinforce defenses against cyber threats, as outdated security leaves systems vulnerable to malicious actors seeking to exploit any gap available.
Read more »
Subscribe to: Posts (Atom)