Prometei ! ₹ Crypto Mining Bots

One of the most advantageous qualities for a cyber threat to have it’s the ability to go unnoticed.

And its recent investigation found a botnet that does just that. Called “Prometei,” this cryptocurrency mining botnet uses techniques to fly under the radar of end-users, though the strategies themselves might be obvious to a defender.

“The actor employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits. The adversary also uses several crafted tools that helps the botnet increase the amount of systems participating in its Monero-mining pool.”

“But this takeover didn’t stop its mining capabilities or the validation of stolen credentials. The botnet continues to make a moderate profit for a single developer, most likely based in Eastern Europe.

The actor behind it is also likely its developer. The TTPs indicate we may be dealing with a professional developer, based on their ability to integrate SMB exploits such as Eternal Blue and authentication code and the use of existing open-source projects, such as Mimikatz and FreeRDP.”

How it works ?

Everything starts with the main botnet file. The infection copies and spreads throughout the system, using passwords retrieved by a modified Mimikatz module and exploits like Eternal Blue.

The botnet has more than 15 executable modules that all get downloaded and driven by the main module, which constantly communicates with the command and control (C2) server over HTTP. However, the encrypted data is sent using RC4 encryption, and the module shares the key with the C2 using asymmetric encryption.

Apart from a large focus on spreading across the environment, Prometei also tries to recover administrator passwords. The discovered passwords are sent to the C2 and then reused by other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols.

In addition to stealing computing power, Prometei has another feature: stealing and validating credentials.

Although we only saw evidence of stolen credentials being used to spread laterally, they also have a value on underground markets and the damage potential of losing important administrative username and password is very high.

This is why organizations that detect the presence of Prometei botnet on their system should act immediately to remove it and to make sure none of their credentials are leaked to the command and control server

Trojan that hits Mac users

A new trojan attack using malware called GMERA is targeting cryptocurrency traders who use trading applications on Apple’s macOS.

The internet security company ESET found that the malware comes integrated into legitimate-looking cryptocurrency trading applications and tries to steal users’ crypto funds from their wallets.

Copying the actual applications

The malware operators have integrated GMERA to the original macOS cryptocurrency trading application Kattana. They have also copied the website of the company and are promoting four new copycat applications — Cointrazer, Cupatrade, Licatrade and Trezarus — that come packed with the malware.

The fake websites have a download button which is linked to a ZIP archive containing the trojanized version of the app. According to ESET, these applications have full support for trading functionalities.

The malware in a nutshell

To analyze the malware, researchers tested samples from Licatrade, which they said has minor differences compared to the malware on other applications but still functions the same way.

The trojan installs a shell script on the victim’s computer that gives the operators access to the users’ system through the application. The shell script then allows the attackers to create command-and-control servers, also called C&C or C2, over HTTP between theirs and the victim’s system. These C2 servers help them consistently communicate with the compromised machine.

GMERA malware steals information such as user names, cryptocurrency wallets, location and screen captures from the users’ system.