Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Security Advisory: Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities Summary

Download as pdf or txt
Download as pdf or txt
You are on page 1of 4

Security Advisory

Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities

Summary:
The Cybereason Nocturnus Team responded to several incident response (IR) cases involving infections of the
Prometei Botnet against companies in North America, observing that the attackers exploited recently published
Microsoft Exchange vulnerabilities (CVE-2021-27065 and CVE-2021-26858) in order to penetrate the network and
install malware. Prometei is a modular and multi-stage cryptocurrency botnet that was first discovered in July
2020 which has both Windows and Linux versions. To achieve their goal of mining Monero coins, Prometei uses
different techniques and tools, ranging from Mimikatz to SMB and RDP exploits and other tools that all work
together to propagate across the network.

ATT&CK ID:
T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1036 – Masquerading
T1047 - Windows Management Instrumentation
T1057 - Process Discovery
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1082 - System Information Discovery
T1104 - Multi-Stage Channels
T1106 - Native API
T1110 - Brute Force
T1132 - Data Encoding
T1135 - Network Share Discovery
T1190 - Exploit Public-Facing Application
T1210 - Exploitation of Remote Services
T1496 - Resource Hijacking
T1543.003 - Windows Service
T1552 - Unsecured Credentials
T1555 - Credentials from Password Stores
T1569 - System Services
T1570 - Lateral Tool Transfer

CVE Details:
CVE-2021-27065
CVE-2021-26858

Malware Families:
Prometei
China Chopper - S0020
Indicators of Compromise:

bk2.bitspiritfun2.net
hostname
bk1.bitspiritfun2.net

gb7ni5rgeexdcncj.onion

domain dummy.zero

ccymveektqgpxrpjb72oq.zero

91.102.160.193

77.92.138.51

69.84.240.57

217.165.8.218

208.66.132.3

IPv4 193.160.102.91

183.247.34.37

178.21.164.68

121.200.54.85

112.109.89.53

102.72.239.193

381c17131d13e1203c91720870ecb441f5be297e

f3829e6fa1254391b76ef23f8949a7e138db9525

fe65853ff86e5783c3d70edcbe0771447967ab0c

f9422a3fea99ab663ab544ea0b2480ae7f666ef4

9623dcd8836c481aa44ae84499f20e2439941a4b

FileHash-SHA1 e337191a9f34c9f38ca9562d4e85b51f91c7e8fb

13219e81db9b22b1d00d4afe38b3a5f1d4b10d51

e223a0d3786fd1316686c4b2d26a7a6e9e57096c

86bb5d2911ebbc19a1f257c8c6ccca941e0eb5e6

dab60418f0731654fe8451a461088466ac46fb7b

31f1e9d4ccd7e78a17ee924e29cdb64a29ae742d

fb8f100e646dec8f19cb439d4020b5f5f43afdc2414279296e13469f13a018ca
FileHash-SHA256
f86f9d0d3ea06bd4be6ee84c09bd13e43ecfcc71653d15994a39e55c2d6bd664
f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4

e961c07d534bc1cb96f159fce573fc671bd188cef8756ef32acd9afb49528331

e4bd40643f64ac5e8d4093bddee0e26fcc74d2c15ba98b505098d13da22015f5

dc73a88f544efc943da73c9f6535facdb61800f6205ad3dddb9adb7c6ab229ab

b0e743517e7abf75a80b81bb7aadc9c166ac47ba89c0654ba855dda1e4d96c3e

d8e3e22997533300c097b47d71feeda51dca183c35a0d818faa12ee903e969d5

5de7afdde08f7b8ba705c8332c693747d537fd5b1bb0e7b0c757c0f364a60eb8

55fc69a7e1b2371d8762be0b4f403d32db24902891fdbfb8b7d2b7fd1963f1b4

2f114862bd999c38b69b633488bcbb6c74c9a11e28b7ef335f6c77bba32ed2d6

c3c66455927cb1b03d160b3294f51972

26bbafde448c5b5b72583384e7b912b1

84452e3633c40030e72c9375c8a3cacb

2046a12ccbd011fa28b9bb340d91effe

ee959cdf508592a977f5c50652a48944

FileHash-MD5 0e70560f49b033b79d378a857d9ca8e0

d11d4cb21442d3996113ab362be35f31

8e035fa24d7a854e1b9745f032e8720c

5373e12f6841f504a35ac5753a181b9e

70c17470e29e719346f27fa3423c6887

d1dc33269f5ce4db3e1f162e7f066811
Reference links:
https://otx.alienvault.com/pulse/609194ef6b34a29c18080028
https://www.cybereason.com/hubfs/dam/collateral/iocs/Prometei%20Botnet%20IOCs.pdf
https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities
https://otx.alienvault.com/pulse/609a0faef9ce3b3df6efd74c
https://otx.alienvault.com/pulse/60848e76b2ffb150c0310da4
https://otx.alienvault.com/pulse/5fd7881bdef47e24232d349b

You might also like