Attackers are reinventing means of monetizing their equipment constantly. Cisco Talos lately discovered a complex marketing campaign having a multi-modular botnet with several ways to distribute and a payload centered on providing financial advantages for the attacker by mining the Monero on-line foreign currency. The actor employs different methods to spread over the system, like SMB with stolen credentials, psexec, SMB and wmi exploits. The adversary furthermore uses several crafted equipment that assists the botnet raise the amount of techniques taking part in its Monero-mining pool.

The infection starts with the primary botnet file that is copied from some other infected systems through SMB, using passwords retrieved by way of a altered Mimikatz module and exploits such as for example Eternal Blue. The actor can be aware of the most recent SMB vulnerabilities such as for example SMBGhost, but no proof by using this exploit has been discovered.

The botnet has a lot more than 15 executable modules that get driven and downloaded by the primary module, which constantly communicates with the command and control (C2) server over HTTP. However, the encrypted information is sent making use of RC4 encryption, and the main element is shared by the module with the C2 using asymmetric encryption.

From a large concentrate on spreading over the environment apart, Prometei tries to recuperate administrator passwords also. The discovered passwords are usually delivered to the C2 and reused by additional modules that try to verify the validity of the passwords on various other systems making use of SMB and RDP protocols.

Read More >>