Prometei campaign

Type

Campaign

Actors

🔥Prometei operator

Pub. date

October 23, 2024

Initial access

1-day vulnerabilityPassword attack

Impact

Resource hijacking

Observed techniques

Password bruteforcing Vulnerability exploitation

Observed tools

Prometei

References

https://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html

Status

Finalized

Last edited

Nov 14, 2024 1:35 PM

The Prometei botnet attempted to infiltrate a company’s network using a brute-force attack. Researchers from Trend Micro identified and mitigated the threat by tracing Prometei’s stealthy, modular structure. Prometei, primarily aimed at cryptocurrency mining and credential theft, exploits vulnerabilities like RDP and SMB to spread quickly across networks, deploying PowerShell scripts to evade detection and persist across reboots.

The investigation revealed Prometei’s intricate evasion tactics, including a Domain Generation Algorithm (DGA) for dynamic C&C communication, encrypted payloads, and Base64-obfuscated PowerShell commands. Analysis points to Russian-speaking threat actors, as the malware avoids targeting Russian systems.