Posted on 07-24-2020.
Threat intelligence research team Cisco Talos has discovered a cryptocurrency mining botnet attack dubbed Prometei. The main purpose of the actor is to deploy users' computer systems to mine Monero (XMR). Another possible goal is to steal Bitcoin (BTC) wallets that might be protected by passwords stolen with open-source app Mimikatz. Once installed and launched, the malware not only disguises itself as other programs to set up hidden mining operations but also allows the attacker to control the infected system and copy files. The analysts also identified attempts to steal administrator passwords. The report explains:
“The infection starts with the main botnet file which is copied from other infected systems by means of SMB, using passwords retrieved by a modified Mimikatz module and exploits such as Eternal Blue. The actor is also aware of the latest SMB vulnerabilities such as SMBGhost, but no evidence of using this exploit has been found.”Prometei has been active since early March. The researchers noted that the earning potential of the botnet is relatively small as over the past four months it has managed to make just under $5,000, or $1,250 per month on average. Cisco Talos believes that the botnet was created by a professional developer from Eastern Europe, although the attacker could not be identified.