October 23, 2024 at 09:09AM
The Prometei botnet targets systems via brute force attacks for cryptocurrency mining and credential theft. Its modular malware exploits various vulnerabilities, including SMB and RDP. The investigation reveals its detailed installation and lateral movement tactics, emphasizing the significance of proactive detection and response through tools like Trend Vision One.
### Meeting Notes Summary on the Prometei Botnet Investigation
#### Key Points
– **Incident Overview**: The Prometei botnet attempted to infiltrate a customer’s system through a targeted brute force attack.
– **Investigation Tools**: The investigation utilized Trend Vision One for proactive detection and response.
– **Botnet Characteristics**: Prometei is a modular malware focused on cryptocurrency mining (primarily Monero) and credential theft, having compromised over 10,000 systems globally.
#### Attack Details
– **Initial Access**:
– Suspicious login attempts from specific external IP addresses were linked to Prometei.
– Successful entry was gained through vulnerabilities in RDP and SMB protocols.
– **Malware Components**:
– Multiple files were created on the compromised system, including executable binaries and archived files (e.g., `sqhost.exe`, `miWalk.exe`).
– The malware modifies system services for persistence and evasion.
– **Credential Theft**:
– The malware re-enabled plaintext credential storage and harvested credentials using specific commands.
– **Lateral Movement**:
– Techniques included the use of PowerShell scripts and WMI for moving across networks.
– **Propagation Techniques**:
– Prometei exploits known vulnerabilities and utilizes various botnet components for lateral movement and spreading.
#### Cryptojacking Operations
– The infected systems were used for unauthorized cryptocurrency mining, driven by a payload called `SearchIndexer.exe`.
#### Domain Generation and Communication
– The botnet employs a Domain Generation Algorithm (DGA) to create multiple random domains for command-and-control communication, evading detection.
#### Web Shell Deployment
– The botnet installed a web server, allowing attackers to execute commands and upload files remotely.
#### Additional Findings
– The botnet integrated with Tor for concealed communications, indicating a sophisticated threat landscape.
#### Conclusion
– Elevated threat intelligence was essential in detecting the malware early. The incidence underscores the need for proactive measures and real-time monitoring to combat advanced cyber threats.
### Action Items
– **Trend Micro Solutions**: Encourage the use of MXDR services and threat intelligence reports to enhance network defenses.
– **Incident Preparedness**: Assess existing protocols for credential storage and access management to mitigate similar future attacks.
This summary encapsulates the critical aspects of the Prometei botnet investigation, emphasizing operational details and the need for vigilance and advanced cybersecurity solutions.