Author

Topic: Prometei: New cryptojacking botnet (Read 180 times)

legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
July 26, 2020, 11:52:18 PM
#8
I don't know what is SysInternals live. I've always downloaded it and kept it on my computer.
SysInternals was bought by Microsoft many years ago, so make sure you download it from Microsoft, not from some strange website.
legendary
Activity: 1904
Merit: 1563
July 26, 2020, 11:41:00 PM
#7
I've said it multiple times: if you use Windows, get Process Explorer (SysInternals/Microsoft) and put it start with the system.
Also make it always visible in tray.
It will show if CPU is used too much and who is using it. It should help find this kind of malware.
What is the difference between downloading and running Process Explorer and running it from Sysinternals Live? Do I need to pay for this service? This is my first time encountering this kind of an in-depth task manager.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
July 26, 2020, 05:46:37 PM
#6
I've said it multiple times: if you use Windows, get Process Explorer (SysInternals/Microsoft) and put it start with the system.
Also make it always visible in tray.
It will show if CPU is used too much and who is using it. It should help find this kind of malware.
hero member
Activity: 2870
Merit: 594
July 26, 2020, 05:27:56 PM
#5
This is a big cause of concern
Quote
Prometei is unlike most mining botnets. Apart from organizing the tools by their purpose in the attack, it also features anti-detection and analysis evasion attributes.

You cannot fix something that you are not aware of working inside of your computer if you cannot trace it in your task manager then you need another tool to trace this botnet and up to date malware removal could trace this and remove there is another form of ransomware now that making around it's called Zida it's old but making a comeback now.

Yes, it is very hard for a user to trace if his system is under attack by this cryptojacking because there is no no way for you to find it out. That's why it still boils down as to how a user is educated to this kind of attacks. No sign but your machine is somewhat lagging or very slow or it is heating? Then for sure something is wrong and it could be this cryptojacking.
legendary
Activity: 3416
Merit: 1225
July 26, 2020, 09:58:32 AM
#4
This is a big cause of concern
Quote
Prometei is unlike most mining botnets. Apart from organizing the tools by their purpose in the attack, it also features anti-detection and analysis evasion attributes.

You cannot fix something that you are not aware of working inside of your computer if you cannot trace it in your task manager then you need another tool to trace this botnet and up to date malware removal could trace this and remove there is another form of ransomware now that making around it's called Zida it's old but making a comeback now.

legendary
Activity: 2702
Merit: 3045
Top Crypto Casino
July 26, 2020, 09:37:33 AM
#3
i would hope most users would notice the computers cooling system ramping up for no particular reason. although most of my systems noise levels under load are generally the same as idle with my setups as i over build cooling.
It would be hard for nexperienced users, which are usually the main target of hackers, to notice the difference especially when they use new computers which are totally quiet even under heavy load.
Even if they notice it, they would think that a legitimate program/process is running in the background.

Quote
although i imagine there are ways a smart programmer could hide this (use a fraction of processing power perhaps)
it's possible but wouldn't be as profitable as running their victims' CPUs at their max power.
legendary
Activity: 4354
Merit: 3614
what is this "brake pedal" you speak of?
July 25, 2020, 09:52:09 PM
#2
i would hope most users would notice the computers cooling system ramping up for no particular reason. although most of my systems noise levels under load are generally the same as idle with my setups as i over build cooling.

although i imagine there are ways a smart programmer could hide this (use a fraction of processing power perhaps)
hero member
Activity: 1344
Merit: 540
July 24, 2020, 04:58:17 AM
#1
A new botnet was discovered in the wild by Cisco Talos.



Another very sophisticated crypto jacking botnet:

Quote
Prometei is stealing passwords with a modified version of Mimikatz (miwalk.exe). These pass to the spreader module (rdpclip.exe) for parsing and authentication over an SMB session.

Should the credentials fail, the spreader launches a variant of the EternalBlue exploit for distributing and launching the main module (svchost.exe). Svajcer says that the author of the botnet is also aware of the SMBGhost vulnerability, although he did not find evidence of the exploit being used.

The last payload delivered on a compromised system is SearchIndexer.exe, which is version 5.5.3 of the XMRig open-source Monero mining software.

Evasion and anti-analysis
Prometei is unlike most mining botnets. Apart from organizing the tools by their purpose in the attack, it also features anti-detection and analysis evasion attributes.

Its author added layers of obfuscation from early versions of the bot, which grew more complex in later variants. The main module spreads on the network under various names ("xsvc.exe," "zsvc.exe") and uses a different packer that depends on an external file to be properly unpacked.

"In addition to making manual analysis more difficult, this anti-analysis technique also avoids detection in dynamic automated analysis systems" - Vanja Svajcer

Furthermore, Prometei can communicate with the C2 server using TOR or I2P proxies, too, to get instructions and send out stolen data.

The researcher says that the main module can also double as a remote access trojan, although the main functionality is Monero mining and possibly stealing Bitcoin wallets.

Prometei victims are located in the United States, Brazil, Pakistan, China, Mexico, and Chile. In four months, they earned the threat actor less than $5,000, or an average of $1,250 a month.

https://www.bleepingcomputer.com/news/security/new-cryptojacking-botnet-uses-smb-exploit-to-spread-to-windows-systems/

So if you see your Windows machines starting to slow down a bit, you need to sitdown and check everything.
Jump to: