Rewterz Threat Alert – Prometei Crypto-mining Botnet Exploits Windows SMB

Severity

Medium

Analysis Summary

A cryptocurrency-mining botnet attack called “Prometei” has been discovered using several techniques. This threat demonstrates several techniques like disabling Security Tools, Remote File Copy, Obfuscated Files or Information, PowerShell, Service Execution, Masquerading and Connection Proxy. Cisco Talos recently discovered this complex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency. The actor employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits. The adversary also uses several crafted tools that helps the botnet increase the amount of systems participating in its Monero-mining pool.

Impact

• Unauthorized CPU power consumption
• Network-wide infection

Indicators of Compromise

SHA-256

• 601a1269ca0d274e518848c35a2399115000f099df149673b9dbc3cd77928d40
• 58d210b47abba83c54951f3c08a91d8091beae300c412316089b5506bd330adc
• ae078c49adba413a10a38a7dcfc20359808bc2724453f6df03a517b622cbca0e
• 9a5c109426480c7283f6f659cb863be81bd46301548d2754baf8b38e9e88828d
• d363dc2aafdf0d9366b5848fc780edfa6888418750e2a61148436908ea3f5433
• 8ca679d542904a89d677cb3fd7db309364f2214f6dc5e89099081835bec4e440
• fe0a5d851a9dd2ba7d1b0818f59363f752fc7343bdfc306969280ade54b2f017
• 7f78ddc27b22559df5c50fd1e5d0957369aadd1557a239aaf4643d51d54c4f94
• 0d6ca238faf7911912b84086f7bdad3cd6a54db53677a69722de65982a43ee09
• c08f291510cd4eccaacff5e04f0eca55b97d15c60b72b204eae1fc0c8d652f48
• f6eddbabc1d6b05d2bc27077bcb55ff640c5cf8b09a18fc51ed160a851f8be58
• 8b7b40c0f59bbe4c76521b32cc4e344033c5730ccb9de28cfba966d8c26ca3ef
• a7ad84e8f5deb1d2e32dd84f3294404a5f7f739215bdd90d7d37d74ee8a05409
• 76110b87e46eb61f492d680a2b34662040bb9c25c947a599536cdaf5170fe581
• ecd4c12ef01028c3f544c0f7c871c6d6f256997f1b7be4c8fdbb0f8572012444
• b0500636927b2ddb1e26a21fbf19a8c1fc47a260062976ddbef60fd47c21dc6e
• ea2174993892789f0c1081152c31b3b3fef79c6a5016840ea72321229c7fe128
• 9e86d18d5761493e11fe95d166c433331d00e4f1bf3f3b23a07b95d449987b78
• 923201672a41f93fb43dae22f30f7d2d170c0b80e534c592e796bd8ad95654ea
• 1df6e9705e9ffb3d2c4f1d9ca49f1e27c4bcac13dba75eac9c41c3785a8ca4b1
• 7c71fb85b94fb4ff06bbaf81d388d97f6e828428ee9f638525d4f6e488e71190
• 994d20fee2bd05e67c688e101f747a5d17b0352a838af818ad357c8c7a34a766
• d3dc9cdb106902471ee95016440b855806e8e5dd0f313864e46126fd3ecfe4fe
• 4ec815b28fe30f61a282c1943885fa81c6e0e98413f5e7f3f89ec6810f3b62a3
• e0a181318eb881d481d2e4830289ed128006269ace890139f054cf050351500a

Source IP

• 103[.]11[.]244[.]221
• 208[.]66[.]132[.]3
• 69[.]28[.]95[.]50

URL

• hxxp[:]//103[.]11[.]244[.]221/crawler[.]php
• hxxp[:]//103[.]11[.]244[.]221/lR[.]php
• hxxp[:]//208[.]66[.]132[.]3[:]8080/7z[.]dll
• hxxp[:]//208[.]66[.]132[.]3[:]8080/7z[.]exe
• hxxp[:]//208[.]66[.]132[.]3[:]8080/_agent[.]7z
• hxxp[:]//208[.]66[.]132[.]3[:]8080/chk445[.]php
• hxxp[:]//208[.]66[.]132[.]3[:]8080/Desktop[.]txt
• hxxp[:]//208[.]66[.]132[.]3[:]8080/dllr0[.]php
• hxxp[:]//208[.]66[.]132[.]3[:]8080/srchindx2[.]php
• hxxp[:]//208[.]66[.]132[.]3[:]8080/zlib[.]php
• hxxp[:]//208[.]66[.]132[.]3[:]8080/ztasklist[.]php
• hxxp[:]//69[.]28[.]95[.]50[:]180/miwalk[.]txt
• hxxp[:]//69[.]28[.]95[.]50[:]180/walker14364[.]php
• hxxp[:]//69[.]84[.]240[.]57[:]180/lR[.]php
• hxxp[:]//69[.]84[.]240[.]57[:]180/miwalk[.]txt
• hxxp[:]//69[.]84[.]240[.]57[:]180/walker14364[.]php
• hxxp[:]//bk1[.]bitspiritfun2[.]net/cgi-bin/prometei[.]cgi
• hxxp[:]//p1[.]feefreepool[.]net/cgi-bin/prometei[.]cgi
• hxxps[:]//gb7ni5rgeexdcncj[.]onion/cgi-bin/prometei[.]cgi
• hxxps[:]//211[.]23[.]16[.]239/prometheus[.]php

Remediation

• Block the threat indicators at their respective controls.
• Keep all systems and software patched against all known vulnerabilities.
• Roll-out multi-factor authentication for all access points.