Security Advisory: Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities Summary
Security Advisory: Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities Summary
Security Advisory: Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities Summary
Summary:
The Cybereason Nocturnus Team responded to several incident response (IR) cases involving infections of the
Prometei Botnet against companies in North America, observing that the attackers exploited recently published
Microsoft Exchange vulnerabilities (CVE-2021-27065 and CVE-2021-26858) in order to penetrate the network and
install malware. Prometei is a modular and multi-stage cryptocurrency botnet that was first discovered in July
2020 which has both Windows and Linux versions. To achieve their goal of mining Monero coins, Prometei uses
different techniques and tools, ranging from Mimikatz to SMB and RDP exploits and other tools that all work
together to propagate across the network.
ATT&CK ID:
T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1036 – Masquerading
T1047 - Windows Management Instrumentation
T1057 - Process Discovery
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1082 - System Information Discovery
T1104 - Multi-Stage Channels
T1106 - Native API
T1110 - Brute Force
T1132 - Data Encoding
T1135 - Network Share Discovery
T1190 - Exploit Public-Facing Application
T1210 - Exploitation of Remote Services
T1496 - Resource Hijacking
T1543.003 - Windows Service
T1552 - Unsecured Credentials
T1555 - Credentials from Password Stores
T1569 - System Services
T1570 - Lateral Tool Transfer
CVE Details:
CVE-2021-27065
CVE-2021-26858
Malware Families:
Prometei
China Chopper - S0020
Indicators of Compromise:
bk2.bitspiritfun2.net
hostname
bk1.bitspiritfun2.net
gb7ni5rgeexdcncj.onion
domain dummy.zero
ccymveektqgpxrpjb72oq.zero
91.102.160.193
77.92.138.51
69.84.240.57
217.165.8.218
208.66.132.3
IPv4 193.160.102.91
183.247.34.37
178.21.164.68
121.200.54.85
112.109.89.53
102.72.239.193
381c17131d13e1203c91720870ecb441f5be297e
f3829e6fa1254391b76ef23f8949a7e138db9525
fe65853ff86e5783c3d70edcbe0771447967ab0c
f9422a3fea99ab663ab544ea0b2480ae7f666ef4
9623dcd8836c481aa44ae84499f20e2439941a4b
FileHash-SHA1 e337191a9f34c9f38ca9562d4e85b51f91c7e8fb
13219e81db9b22b1d00d4afe38b3a5f1d4b10d51
e223a0d3786fd1316686c4b2d26a7a6e9e57096c
86bb5d2911ebbc19a1f257c8c6ccca941e0eb5e6
dab60418f0731654fe8451a461088466ac46fb7b
31f1e9d4ccd7e78a17ee924e29cdb64a29ae742d
fb8f100e646dec8f19cb439d4020b5f5f43afdc2414279296e13469f13a018ca
FileHash-SHA256
f86f9d0d3ea06bd4be6ee84c09bd13e43ecfcc71653d15994a39e55c2d6bd664
f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4
e961c07d534bc1cb96f159fce573fc671bd188cef8756ef32acd9afb49528331
e4bd40643f64ac5e8d4093bddee0e26fcc74d2c15ba98b505098d13da22015f5
dc73a88f544efc943da73c9f6535facdb61800f6205ad3dddb9adb7c6ab229ab
b0e743517e7abf75a80b81bb7aadc9c166ac47ba89c0654ba855dda1e4d96c3e
d8e3e22997533300c097b47d71feeda51dca183c35a0d818faa12ee903e969d5
5de7afdde08f7b8ba705c8332c693747d537fd5b1bb0e7b0c757c0f364a60eb8
55fc69a7e1b2371d8762be0b4f403d32db24902891fdbfb8b7d2b7fd1963f1b4
2f114862bd999c38b69b633488bcbb6c74c9a11e28b7ef335f6c77bba32ed2d6
c3c66455927cb1b03d160b3294f51972
26bbafde448c5b5b72583384e7b912b1
84452e3633c40030e72c9375c8a3cacb
2046a12ccbd011fa28b9bb340d91effe
ee959cdf508592a977f5c50652a48944
FileHash-MD5 0e70560f49b033b79d378a857d9ca8e0
d11d4cb21442d3996113ab362be35f31
8e035fa24d7a854e1b9745f032e8720c
5373e12f6841f504a35ac5753a181b9e
70c17470e29e719346f27fa3423c6887
d1dc33269f5ce4db3e1f162e7f066811
Reference links:
https://otx.alienvault.com/pulse/609194ef6b34a29c18080028
https://www.cybereason.com/hubfs/dam/collateral/iocs/Prometei%20Botnet%20IOCs.pdf
https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities
https://otx.alienvault.com/pulse/609a0faef9ce3b3df6efd74c
https://otx.alienvault.com/pulse/60848e76b2ffb150c0310da4
https://otx.alienvault.com/pulse/5fd7881bdef47e24232d349b