Security news that informs and inspires

Prometei Botnet Tracks Down Vulnerable Exchange Servers

In the latest slew of attacks against the infamous Exchange ProxyLogon flaws, cybercriminals are infecting systems and adding them to the cryptocurrency-mining Prometei botnet.

Researchers with Cybereason on Thursday said they have observed attacks targeting thousands of machines across companies in North America. The cybercriminals behind these attacks are targeting two flaws - part of a collection of previously-disclosed Microsoft Exchange vulnerabilities - in order to initially infect the network and install malware. The end goal of the attack is to add the infected systems to the modular Prometei botnet, which mines Monero coins.

“As observed in the recent Prometei attacks, the threat actors rode the wave of the recently discovered Microsoft Exchange vulnerabilities and exploited them in order to penetrate targeted networks,” said Lior Rochberger, security researcher with Cybereason. “We anticipate continued evolution of the advanced techniques being used by different threat actors for different purposes, including cybercrime groups.”

When researchers with Cisco Talos first uncovered the Prometei botnet in July, they believed the botnet was active since March 2020. As part of their new report, Cybereason researchers now believe that the botnet has been in the wild as far back as 2016. That’s because a deep-dive investigation into the botnet’s infrastructure revealed that a Prometei.cgi file - which contains commands for the botnet to execute on infected machines - dates back to May 2016.

In addition, researchers found that the botnet’s operators have expanded their initial infection vectors. Previously, the actor employed various methods to spread across the network, such as stolen credentials and SMB exploits. This latest slew of attacks, however, show the botnet operators now relying on several of the Microsoft Exchange vulnerabilities known collectively as ProxyLogon, which are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. Microsoft released a patch in March for the flaws, which can be chained together to create a pre-authentication remote code execution (RCE) exploit.

Cybercriminals behind Prometei have specifically honed in on CVE-2021-27065 and CVE-2021-26858 in order to perform remote code execution on the vulnerable devices. They first install and execute the China Chopper webshell, which is used to launch a PowerShell and ultimately download the payload. The payload, saved as C:\windows\zsvc.exe, marks the start of the Prometei botnet execution.

Once downloaded, the botnet then executes various modules, including the zsvc.exe module that “prepares the ground” for other modules and sets up a registry key for persistence; the RdpcIip module, which harvests credentials and spreads across the network using stolen credentials; and the Sqhost.exe module, which contains backdoor capabilities to support a range of commands. One of these commands is to start the mining process by launching the miner (SearchIndexer.exe).

Rochberger said, researchers cannot estimate with certainty the amount that cybercriminals have profited from the compromises.

“Around March 2021, we noticed that one of the wallets used by Prometei was banned due to reports of botnet mining,” said Rochberger. “That being said, it is very easy to set up multiple wallets, and we cannot be sure how many wallets are used by the group.”

“Although the Prometei techniques and some of its components will likely be detected by security analysts, most of them will not be immediately obvious to end-users, which highlights the importance of having a security team and products in place that can detect these malicious operations."

The disclosure of the ProxyLogon flaws left businesses scrambling to patch their systems. A month ago, researchers said that the number of servers vulnerable to the Exchange ProxyLogon flaws continued to dip - however, they found that there were still nearly 30,000 unpatched servers online.

Exploitation activity has also skyrocketed, with actors targeting vulnerable Exchange servers to deploy ransomware and install webshells. Previously, researchers warned that the flaws were being targeted by at least 10 different advanced persistent threat (APT) groups.

Cryptocurrency miners were some of the first payloads observed that were spread through exploits of the ProxyLogon flaws. In March, for instance, the known cryptocurrency botnet Lemon Duck was dropped by attackers from the post-exploit web shells.

And last week, Sophos researchers warned that they observed a cryptocurrency mining attack on Exchange servers. This recent attack started with a PowerShell command, which retrieved a file (called from another compromised server’s Outlook Web Access logon path, and eventually injected a miner into the system’s process.

“We are seeing multiple attacks involving the recently discovered Exchange vulnerabilities,” Rochberger said. That being said, more and more organizations are becoming aware of the gravity of the situation and the danger of not patching those specific vulnerabilities, he noted.

“In comparison to previous vulnerabilities, we see rather rapid patching efforts, which significantly reduces the attack surface,” he said.

Researchers said that the Prometei attacks pose “a great risk” for organizations, with cryptomining malware being used for resource-hogging and affecting the performance and stability of critical servers and endpoints. However, even beyond cryptomining malware, if attackers have absolute control over the infected machines, they have the ability to launch other attacks, such as stealing information, infecting the endpoints with other malware or collaborating with ransomware gangs by selling the access to the infected endpoints.

“Although the Prometei techniques and some of its components will likely be detected by security analysts, most of them will not be immediately obvious to end-users, which highlights the importance of having a security team and products in place that can detect these malicious operations,” said Rochberger.