Attackers generally use botnets to perform automated tasks such as attacking other systems or hijacking their resources for malicious purposes. However, in recent times we have seen some threat actors have altered its behavior. These altered versions of botnets are capable of stealing and validating credentials while posing a greater threat to organizations under attack.
Recently, a cryptocurrency-mining botnet was spotted doing a similar thing.
A multi-modular botnet campaign was spotted by researchers which were found to be active since March of 2020. This botnet is using multiple ways to spread the payload dubbed Prometei to provide financial benefits to the attacker by mining the Monero online currency. So far on average it only generates $1,250 per month.
The Workings of the botnet –
- Copied botnet files from another infected system are used by the botnet operators by means of Windows Server Message Block (SMB).
- This is done by using passwords retrieved by a modified Mimikatz module and exploits, such as EternalBlue.
- To increase the number of infected systems for Monero-mining Several crafted tools are used. The main module of the botnet can control and download more than 15 executable modules.
- Various activities such as executing programs and commands; launching command shells; opening, downloading, and stealing files; and launching crypto mining operations, among other functions can be performed by the attackers.
Some recent Windows SMB exploit attacks –
Lately, various malware has been noticed exploiting Microsoft Windows SMB protocol to mine cryptocurrency.
- Through various weakly-secure RDP (Remote Desktop Protocol) or SMB (Server Message Block) connections, a cryptocurrency-mining malware operated by the Blue Mockingbird group attempted to spread internally in May 2020.
- While the advantage of Living off the Land obfuscated PowerShell-based scripts was taken to drop Trojans and XMRig Monero crypto miner on compromised machines, in a malware campaign used the EternalBlue exploit (to target the SMBv1 protocol) in April last year.
Final Thoughts –
Enterprises need to ensure that none of their credentials are leaked to the command and control server of any botnets since their behavior has started to get worrying. Hence, every system is required to be monitored constantly for even a small crack in common applications. Our security experts advise the use of a reliable intrusion detection/prevention tool to detect the presence of threats in their infrastructure.
To read more, please check eScan Blog