

Rewterz Threat Alert – Cybersecurity Vendors Impersonated in Malicious Activities
July 23, 2020
Rewterz Threat Alert – WatchBogMiner Targets Linux Servers’ RCE Vulnerabilities
July 24, 2020
Rewterz Threat Alert – Cybersecurity Vendors Impersonated in Malicious Activities
July 23, 2020
Rewterz Threat Alert – WatchBogMiner Targets Linux Servers’ RCE Vulnerabilities
July 24, 2020Severity
Medium
Analysis Summary
A cryptocurrency-mining botnet attack called “Prometei” has been discovered using several techniques. This threat demonstrates several techniques like disabling Security Tools, Remote File Copy, Obfuscated Files or Information, PowerShell, Service Execution, Masquerading and Connection Proxy. Cisco Talos recently discovered this complex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency. The actor employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits. The adversary also uses several crafted tools that helps the botnet increase the amount of systems participating in its Monero-mining pool.
Impact
- Unauthorized CPU power consumption
- Network-wide infection
Indicators of Compromise
SHA-256
- 601a1269ca0d274e518848c35a2399115000f099df149673b9dbc3cd77928d40
- 58d210b47abba83c54951f3c08a91d8091beae300c412316089b5506bd330adc
- ae078c49adba413a10a38a7dcfc20359808bc2724453f6df03a517b622cbca0e
- 9a5c109426480c7283f6f659cb863be81bd46301548d2754baf8b38e9e88828d
- d363dc2aafdf0d9366b5848fc780edfa6888418750e2a61148436908ea3f5433
- 8ca679d542904a89d677cb3fd7db309364f2214f6dc5e89099081835bec4e440
- fe0a5d851a9dd2ba7d1b0818f59363f752fc7343bdfc306969280ade54b2f017
- 7f78ddc27b22559df5c50fd1e5d0957369aadd1557a239aaf4643d51d54c4f94
- 0d6ca238faf7911912b84086f7bdad3cd6a54db53677a69722de65982a43ee09
- c08f291510cd4eccaacff5e04f0eca55b97d15c60b72b204eae1fc0c8d652f48
- f6eddbabc1d6b05d2bc27077bcb55ff640c5cf8b09a18fc51ed160a851f8be58
- 8b7b40c0f59bbe4c76521b32cc4e344033c5730ccb9de28cfba966d8c26ca3ef
- a7ad84e8f5deb1d2e32dd84f3294404a5f7f739215bdd90d7d37d74ee8a05409
- 76110b87e46eb61f492d680a2b34662040bb9c25c947a599536cdaf5170fe581
- ecd4c12ef01028c3f544c0f7c871c6d6f256997f1b7be4c8fdbb0f8572012444
- b0500636927b2ddb1e26a21fbf19a8c1fc47a260062976ddbef60fd47c21dc6e
- ea2174993892789f0c1081152c31b3b3fef79c6a5016840ea72321229c7fe128
- 9e86d18d5761493e11fe95d166c433331d00e4f1bf3f3b23a07b95d449987b78
- 923201672a41f93fb43dae22f30f7d2d170c0b80e534c592e796bd8ad95654ea
- 1df6e9705e9ffb3d2c4f1d9ca49f1e27c4bcac13dba75eac9c41c3785a8ca4b1
- 7c71fb85b94fb4ff06bbaf81d388d97f6e828428ee9f638525d4f6e488e71190
- 994d20fee2bd05e67c688e101f747a5d17b0352a838af818ad357c8c7a34a766
- d3dc9cdb106902471ee95016440b855806e8e5dd0f313864e46126fd3ecfe4fe
- 4ec815b28fe30f61a282c1943885fa81c6e0e98413f5e7f3f89ec6810f3b62a3
- e0a181318eb881d481d2e4830289ed128006269ace890139f054cf050351500a
Source IP
- 103[.]11[.]244[.]221
- 208[.]66[.]132[.]3
- 69[.]28[.]95[.]50
URL
- hxxp[:]//103[.]11[.]244[.]221/crawler[.]php
- hxxp[:]//103[.]11[.]244[.]221/lR[.]php
- hxxp[:]//208[.]66[.]132[.]3[:]8080/7z[.]dll
- hxxp[:]//208[.]66[.]132[.]3[:]8080/7z[.]exe
- hxxp[:]//208[.]66[.]132[.]3[:]8080/_agent[.]7z
- hxxp[:]//208[.]66[.]132[.]3[:]8080/chk445[.]php
- hxxp[:]//208[.]66[.]132[.]3[:]8080/Desktop[.]txt
- hxxp[:]//208[.]66[.]132[.]3[:]8080/dllr0[.]php
- hxxp[:]//208[.]66[.]132[.]3[:]8080/srchindx2[.]php
- hxxp[:]//208[.]66[.]132[.]3[:]8080/zlib[.]php
- hxxp[:]//208[.]66[.]132[.]3[:]8080/ztasklist[.]php
- hxxp[:]//69[.]28[.]95[.]50[:]180/miwalk[.]txt
- hxxp[:]//69[.]28[.]95[.]50[:]180/walker14364[.]php
- hxxp[:]//69[.]84[.]240[.]57[:]180/lR[.]php
- hxxp[:]//69[.]84[.]240[.]57[:]180/miwalk[.]txt
- hxxp[:]//69[.]84[.]240[.]57[:]180/walker14364[.]php
- hxxp[:]//bk1[.]bitspiritfun2[.]net/cgi-bin/prometei[.]cgi
- hxxp[:]//p1[.]feefreepool[.]net/cgi-bin/prometei[.]cgi
- hxxps[:]//gb7ni5rgeexdcncj[.]onion/cgi-bin/prometei[.]cgi
- hxxps[:]//211[.]23[.]16[.]239/prometheus[.]php
Remediation
- Block the threat indicators at their respective controls.
- Keep all systems and software patched against all known vulnerabilities.
- Roll-out multi-factor authentication for all access points.