Microsoft Exchange Servers Used To Mine Cryptocurrency
Unpatched Microsoft Exchange Servers Are Being Added to Prometei’s Malware Botnet Army Operators’ of Monero Mining Bots.
The modular malware known as Prometei is able to infect both Windows and Linux systems, which makes it highly dangerous.
The malware was first spotted last year. At that time it was using the EternalBlue exploit in order to gain access across compromised networks and enslave vulnerable Windows computers.
It looks like that malware has been around for almost half a decade, having artifacts from 2016 submitted to VirusTotal.
Loong at new malware samples that were recently found by Cybereason in a few incident responses, the botnet seems to have been updated in order to exploit Exchange Server vulnerabilities patched by Microsoft in March.
Heimdal™ Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
The focus of Prometei’s attacks is to deploy the crypto mining payload, start earning money for its operators and spread to other devices on the network using EternalBlue and BlueKeep exploits, harvested credentials, and SSH or SQL spreader modules.
When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but can also exfiltrate sensitive information as well.
If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints.
It’s important to also note the fact that the malware has been upgraded with backdoor capabilities, therefore having support for an extensive array of commands, like downloading and executing files, searching for files on infected systems, and also executing programs or commands on behalf of the attackers.
The latest versions of Prometei now provide the attackers with a sophisticated and stealthy backdoor that supports a wide range of tasks that make mining Monero coins the least of the victims’ concerns.
While the threat actor behind this botnet remains unknown at this time, there are indications that they speak Russian, with the name given to the botnet, Prometei – the Russian version for Prometheus, and the use of Russian code and product name in older versions.