Uncovering the Threat Group
The perpetrators linked to Prometei are mostly unknown, however, indications point towards individuals proficient in the Russian language. The alias “Prometei,” originating from the Russian interpretation of Prometheus, implies a cultural tie.
Earlier variants of the malicious software from 2016 contained traces of Russian language configurations, like an unmodified “product name” in the primary bot module and a language code specifying Russian.
Moreover, Prometei seems to steer clear of infecting other Russian-speaking targets, as evidenced by the behavior of certain modules. One peculiar feature is the incorporation of a Tor client, which simplifies communication with a Tor C&C server while deliberately avoiding specific exit nodes in the former Soviet Union. Additionally, another element, nvsync.exe, scans for pilfered credentials and actively avoids targeting accounts identified as “Guest” and “Other user” (in Russian), indicating a focus on specific victims.
Summary
Our scrutiny into the Prometei assault exposes the intricacy and tenacity of the botnet in compromised settings. By exploiting SMB and RDP vulnerabilities with the help of WMI and lateral movement tactics, Prometei spreads rapidly. Essential components like sqhost.exe and miwalk.exe aid in gathering credentials and establishing connections with command-and-control servers. The inclusion of encoded payloads, Base64-obfuscated PowerShell commands, and firewall adjustments accentuates the perpetrators’ endeavors to avoid detection and maintain presence.
Integrating MXDR services elevated our investigation by enabling real-time monitoring and event correlation, thereby enhancing the capacity to detect and counter malicious operations in the early stages of the attack cycle. By amalgamating Incident Response, Threat Intelligence, and MXDR, we garnered a holistic view of the Prometei botnet and its potential ramifications on the compromised network. This investigation underscores the significance of proactive identification and response, showcasing how appropriate solutions and intelligence (facilitated by Trend Vision One) can diminish dwell time and fortify defenses against sophisticated threats.
Trend Micro Vision One Threat Insight
To preempt evolving threats, Trend Micro clients can avail themselves of an array of Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat Insights aids clients in staying a step ahead of cyber threats, thus better equipping them against emerging risks. It furnishes comprehensive details on threat actors, their malevolent operations, and the methodologies they employ. Leveraging this intelligence empowers clients to take proactive measures in safeguarding their environments, mitigating risks, and effectively countering threats.
Trend Micro Vision One Intelligence Reports Access [IOC Sweeping]
Revealing Prometei: A Detailed Exploration of Our MXDR Discoveries
Trend Micro Vision One Threat Insights Access
Emerging Threats: Revealing Prometei: A Detailed Exploration of Our MXDR Discoveries
Scouring Queries
Trend Micro Vision One Search Tool Access
Customers using Trend Micro Vision One can deploy the Search Tool to match or hunt down the malicious indicators delineated in this blog post within their data environment.
Detection of PROMETEI Malware
malName:* PROMETEI* AND eventName:MALWARE_DETECTION
Additional exploration queries are accessible to Vision One customers with Threat Insights Entitlement enabled
Signs of Compromise
The complete list of IOCs can be accessed here
About Author
