Researchers find a new cryptojacking botnet that targets Windows devices and focus on Monero mining and steal Admin passwords
In the current situation, hackers over the globe have been actively exploiting one or the other vulnerabilities and attacking with new types of attacks. Meanwhile, the researchers from Cisco Telo’s have dubbed a new cryptojacking botnet Prometei that targets Windows devices and focuses on Monero mining and steal Admin passwords.
According to the research, the botnet was active as early as the beginning of March, but it seems to have been dealt a blow by a takeover of one of its C2 servers on June 8. However, this takeover didn’t stop its mining capabilities or the validation of stolen credentials. The botnet continues to make a moderate profit for a single developer, most likely based in Eastern Europe.
A new cryptojacking botnet is spreading across compromised networks via multiple methods that include the EternalBlue exploit for Windows Server Message Block (SMB) communication protocol. The attacker’s goal is to mine for Monero (XMR) cryptocurrency and enslave as many systems as possible for this task for increased profit.
The botnet has more than 15 executable modules that all get downloaded and driven by the main module, which constantly communicates with the command and control (C2) server over HTTP. However, the encrypted data is sent using RC4 encryption, and the module shares the key with the C2 using asymmetric encryption.
Apart from a large focus on spreading across the environment, Prometei also tries to recover administrator passwords. The discovered passwords are sent to the C2 and then reused by other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols
While tracking the botnet the researchers noticed that its modules fall into two categories that have fairly distinct purposes: mining-related operations (dropping the miner, spreading on the network) and gaining access by brute-forcing logins using SMB and RDP.
The researcher said that while the distinct functions and programming language (C++ and .NET) for these modules may indicate that another party is taking advantage of this botnet, it’s more likely that a single actor is controlling all of them. Prometei is stealing passwords with a modified version of Mimikatz (miwalk.exe), Mimikatz is an open-source application that allows users to view and save authentication credentials.
Furthermore, the botnet can communicate with the C2 server using TOR or I2P proxies to get instructions and send out stolen data. The researcher says that the main module can also double as a remote access trojan, although the main functionality is Monero mining and possibly stealing Bitcoin wallets.
As an advisory, we would like to suggest changing your admin passwords regularly and apply two-factor authentication for the social and other accounts if available. For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.