Unmasking Prometei: A Deep Dive Into MXDR Findings

Oct. 24, 2024, 10:21 a.m.

Description

This analysis examines the Prometei botnet's infiltration of a customer's system through a targeted brute force attack. Leveraging Trend Vision One, the investigation traced the botnet's detailed installation routine and stealthy tactics. Prometei, a modular malware family used for cryptocurrency mining and credential theft, spreads by exploiting vulnerabilities and using PowerShell scripts. The botnet downloads compressed archives containing various components to maintain control over infected devices. Key findings include the use of a domain generation algorithm for command and control, deployment of web shells, and connections to the Tor network. The threat actors behind Prometei are likely Russian-speaking individuals, as evidenced by language settings and targeting behaviors.

Date

Published: Oct. 23, 2024, 5:36 p.m.

Created: Oct. 23, 2024, 5:36 p.m.

Modified: Oct. 24, 2024, 10:21 a.m.

Attack Patterns

Prometei

Prometei

T1021.002

T1569.002

T1021.001

T1018

T1059.001

T1572

T1095

T1016

T1082

T1057

T1105

T1083

T1071

T1047

T1053

T1041

T1190

T1133

T1078

T1003

Additional Informations

Technology

Finance

Government

Indonesia

Brazil