Prometei Botnet: Unpatched Microsoft Exchange Servers Are Targeted


The Prometei botnet is now targeting the unpatched Microsoft Exchange Servers and added to its operators’ troupe of Monero (XMR) crypto mining bots. This modular malware is capable of infecting both Linux and Windows systems. It had been first discovered last year while utilizing the EternalBlue Exploit for spreading across the compromised networks. It enslaves the vulnerable Windows computers. 

Recently, Cybereason’s Nocturnus team has discovered that the Prometei botnet has been active for almost around half a decade. This information has been provided by the Prometei artefacts that were submitted to VirusTotal in May 2016.

Depending on the new malware samples that Cybereason had lately found during the recent responses, the Prometei botnet had also been updated for exploiting the Microsoft Exchange Server. The company had patched the vulnerabilities of the server in March.

Prometei botnet on the Exchange Servers primarily focuses on deploying the cryptomining payload, initiating earning money for its operators and spreading to the other devices on the network. For spreading, it utilizes the BlueKeep and EternalBlue exploits, SSH or SQL spreader modules and harvested credentials.

“When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but can also exfiltrate sensitive information as well,” said Assaf Dahan, Cybereason senior director and head of threat research.

“If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints.”

Image: Cybereason

Cryptojacking Prometei Botnet Bearing Backdoor Features

Nevertheless, the malware just hit an upgrade bearing the backdoor capabilities to support an extensive array of commands. These commands include the download and execution of files, looking for the files on the compromised systems alongside executing commands or programs on behalf of the cyber attackers.

“The latest versions of Prometei now provide the attackers with a sophisticated and stealthy backdoor that supports a wide range of tasks that make mining Monero coins the least of the victims’ concerns,” Cybereason Nocturnus Team said.

The threat actors behind the Prometei botnet are still unknown. However, there is evidence that the threat actors speak the Russian language. Even the name of the botnet is Prometei (derived from the Russian term “Prometheus”). The Russian code and the product name has also been used in the earlier versions. 

The Cybereason-conducted research also points to the malware botnet operators being motivated financially and are likely not sponsored by a nation-state.

“As observed in the recent Prometei attacks, the threat actors rode the wave of the recently discovered Microsoft Exchange vulnerabilities and exploited them in order to penetrate targeted networks,” the Cybereason Nocturnus Team added.

“This threat poses a great risk for organizations, since the attackers have absolute control over the infected machines, and if they wish so, they can steal information, infect the endpoints with other malware or even collaborate with ransomware gangs by selling access to the infected endpoints.”

More Than 90% Of The Vulnerable Microsoft Exchange Servers Have Been Patched

The Prometei botnet had exploited two flaws – CVE-2021-27065 and CVE-2021-26858. The Chinese-backed hacking groups, including the other hacking groups, had also abused the flaws for deploying the web shells, cryptomining malware and ransomware (1,2).

As per the stats that Microsoft had shared last month, the vulnerabilities have affected approximately 92% of all the internet-connected on-premises Microsoft Exchange servers. These vulnerabilities have now been patched and are safe from attacks. 

Redmond had also released an EOMT tool or One-click Exchange On-premises Mitigation Tool for aiding the small business owners to mitigate the security bugs as soon as possible, without the help from a dedicated security team. Additionally, the Microsoft Defender Antivirus protects the unpatched Microsoft Exchange Servers automatically from the ongoing attacks by auto-mitigating the vulnerabilities. 

Source: Bleeping Computer

Disclaimer: Read the complete disclaimer here.


Please enter your comment!
Please enter your name here