Botnet exploits Microsoft Exchange vulnerability to mine cryptocurrency

Monero XMR Botnet Prometei

Cybersecurity research firm, Cyberreason, has discovered a botnet that exploits the recently disclosed Microsoft Exchange server vulnerability. The botnet has been seen to be exploiting servers that continue to remain unpatched around the world. 

The botnet, called Prometei, was first brought to light in July 2020, but many researchers believe it may have been active since 2016 using a range of common exploits to deploy its cryptocurrency mining software.

“The Prometei Botnet poses a big risk for companies because it has been under-reported,” said Assaf Dahan, head of threat research, Cybereason, in a statement. “When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but can also exfiltrate sensitive information as well. If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints. And to make matters worse, crypto mining drains valuable network computing power, negatively impacting business operations and the performance and stability of critical servers.”

Prometei is a modular multi-stage cryptocurrency botnet that seeks to laterally expand its penetration across a network once an entry point has been found. The botnet uses techniques and tools such as Mimikatz, Eternal Blue, SMB, and RDP exploits, and many other common tools to propagate.

Prometei mines Monero (XMR) coins as they can be mined using only CPU processing power. Mining can also be throttled not to consume 100% of the CPU power, allowing it to operate without being easily detected.

The botnet can operate across both Windows and Linux operating systems and adjust its payload based on the detected operating system and the targeted machines as it spreads across the network.

Cyberreason has assessed that the Prometie group is financially motivated and operated by Russian-speaking people but is not necessarily backed by a nation-state.

Threat actors in the cybercrime community continue to use advanced persistent threats (APT) techniques to improve their operations. Botnets such as Prometei can deploy updates to exploit any new zero-day vulnerabilities quickly.

Businesses should be monitoring CPU usage on all machines and proactively investigate whenever a machine is consistently showing high CPU usage.

Scroll to Top