# A New All-in-One Botnet: Proteus **[fortinet.com/blog/threat-research/a-new-all-in-one-botnet-proteus.html](https://www.fortinet.com/blog/threat-research/a-new-all-in-one-botnet-proteus.html)** Threat Research By [Donna Wang and](https://www.fortinet.com/blog/search?author=Donna+Wang) [Jacob (Kuan Long) Leong | November 28, 2016](https://www.fortinet.com/blog/search?author=+Jacob+%28Kuan+Long%29+Leong) **Introduction** November 28, 2016 The ART team at Fortinet has discovered a new malware named Proteus, a multifunctional botnet written in .NET that appears to be a proxy, coin miner, e-commerce merchant account checker, and keylogger. This particular botnet is downloaded by the Andromeda botnet. The handful of malicious features densely packed in this new malware also includes the ability to drop other malware. We have compiled its main features in this brief analysis. **Data Encryption** All C&C communication is encrypted with a symmetrical algorithm. All strings used in this botnet are also encrypted using the same algorithm. Part of the encrypted hostname string is shown below: Figure 1 Partial Encrypted Hostname And the encrypted hostname is: http://prot{removed}twork.ml/ which is used as the C&C domain. A simple decryption Algorithm is provided below: ----- Figure 2 Decryption Algorithm **Preparation** The sample arrives obfuscated, drops a copy of itself in the %AppData% folder as _chrome.exe, and executes the copy. It then creates a hardcoded mutex to ensure there is_ only one instance of itself running. Figure 3 Mutex Name In order to register the botnet with the C&C server, it sends an initial registration message with several pieces of information regarding the infected machine. The packet for registering the bot takes the format as below: ``` {"m":"", "o":"", "v":" "} ``` Figure 4 Bot Registering Function The fingerprint consists of the processor, BIOS and baseboard information of the infected machine, as shown below. Figure 5 Generating Fingerprint ----- The bot comes with a hardcoded default fingerprint, as shown below. However, it appears that the default fingerprint is always overwritten by the above-mentioned newly generated fingerprint, which is a unique identifier for the infected machine. The fingerprint is included in the HTTP header in the authorization field. Figure 6 Default Fingerprint MachineName is retrieved by calling the Win32 API GetComputerName, OperatingSystem is the OS architecture x64 or x86. The BotVersion is obtained from the assembly version that the code is executing in: Figure 7 Bot version The C&C server responses with an encrypted string that reads “successful.” Then the bot plays ping pong with the server to make sure it’s live in order to carry out the rest of its malicious actions. Figure 8 Ping Pong **Features & Tasks** Proteus creates six threads for different tasks, as follows: **_Task_** **_Description_** _SocksTask_ creates a socket and sets up port forwarding _MiningTask_ appears to use SHA256 miner for mining digital currency * ----- _EMiningTask_ appears to use CPUMiner and ZCashMiner for mining digital currency * _CheckerTask_ validates given accounts _CommandsTask_ kills current process or downloads and executes an executable on request _LoggerTask_ sets up keylogger Table 1 Tasks and Descriptions - The bot verifies with the server during runtime to determine which miner to use for mining _digital currency such as Bitcoin._ Figure 9 Check Module for MiningTask Figure 10 Check Modules for EMiningTask For SocksTask, MiningTask, EMiningTask and LoggerTask, the bot first sends a CheckModule message by providing its program fingerprint and corresponding module name to the C&C server. The server then sends a command back to the bot, indicating whether or not the bot should proceed with the requested task. For CheckerTask, the bot first requests an account from the C&C server. If the server replies with an account to the bot, the bot will proceed to check the given account on some wellknown e-commerce websites including eBay, Amazon, and Netflix. Some of the websites are on German (.de) domains. Similarly, for CommandsTask, the bot first requests a command from the server and then executes the command if it is valid. **Conclusion** The Proteus botnet has a combination of features including coin miner, proxy server, keylogger, and many more. It is also capable of downloading and executing a file. All of this in one botnet may be even more harmful than one might first think, as it could download anything and execute it in the infected host. Our team will continue to monitor this botnet family and provide more information as it comes to light. **_Sample Information_** MD5: 49fd4020bf4d7bd23956ea892e6860e9 ----- SHA256: d23b4a30f6b1f083ce86ef9d8ff434056865f6973f12cb075647d013906f51a2 _Fortinet AV Detection: MSIL/Proteus.A!tr_ _Fortinet IPS Detection: Proteus.Botnet_ --Advanced Research Team, Fortinet Canada ## Related Posts Copyright © 2022 Fortinet, Inc. All Rights Reserved [Terms of ServicesPrivacy Policy](https://www.fortinet.com/corporate/about-us/legal.html) | Cookie Settings -----