• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Cybersecurity Vendors Impersonated in Malicious Activities
July 23, 2020
Rewterz Threat Alert – WatchBogMiner Targets Linux Servers’ RCE Vulnerabilities
July 24, 2020

Rewterz Threat Alert – Prometei Crypto-mining Botnet Exploits Windows SMB

July 23, 2020

Severity

Medium

Analysis Summary

A cryptocurrency-mining botnet attack called “Prometei” has been discovered using several techniques. This threat demonstrates several techniques like disabling Security Tools, Remote File Copy, Obfuscated Files or Information, PowerShell, Service Execution, Masquerading and Connection Proxy. Cisco Talos recently discovered this complex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency. The actor employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits. The adversary also uses several crafted tools that helps the botnet increase the amount of systems participating in its Monero-mining pool.

Impact

  • Unauthorized CPU power consumption
  • Network-wide infection

Indicators of Compromise

SHA-256

  • 601a1269ca0d274e518848c35a2399115000f099df149673b9dbc3cd77928d40
  • 58d210b47abba83c54951f3c08a91d8091beae300c412316089b5506bd330adc
  • ae078c49adba413a10a38a7dcfc20359808bc2724453f6df03a517b622cbca0e
  • 9a5c109426480c7283f6f659cb863be81bd46301548d2754baf8b38e9e88828d
  • d363dc2aafdf0d9366b5848fc780edfa6888418750e2a61148436908ea3f5433
  • 8ca679d542904a89d677cb3fd7db309364f2214f6dc5e89099081835bec4e440
  • fe0a5d851a9dd2ba7d1b0818f59363f752fc7343bdfc306969280ade54b2f017
  • 7f78ddc27b22559df5c50fd1e5d0957369aadd1557a239aaf4643d51d54c4f94
  • 0d6ca238faf7911912b84086f7bdad3cd6a54db53677a69722de65982a43ee09
  • c08f291510cd4eccaacff5e04f0eca55b97d15c60b72b204eae1fc0c8d652f48
  • f6eddbabc1d6b05d2bc27077bcb55ff640c5cf8b09a18fc51ed160a851f8be58
  • 8b7b40c0f59bbe4c76521b32cc4e344033c5730ccb9de28cfba966d8c26ca3ef
  • a7ad84e8f5deb1d2e32dd84f3294404a5f7f739215bdd90d7d37d74ee8a05409
  • 76110b87e46eb61f492d680a2b34662040bb9c25c947a599536cdaf5170fe581
  • ecd4c12ef01028c3f544c0f7c871c6d6f256997f1b7be4c8fdbb0f8572012444
  • b0500636927b2ddb1e26a21fbf19a8c1fc47a260062976ddbef60fd47c21dc6e
  • ea2174993892789f0c1081152c31b3b3fef79c6a5016840ea72321229c7fe128
  • 9e86d18d5761493e11fe95d166c433331d00e4f1bf3f3b23a07b95d449987b78
  • 923201672a41f93fb43dae22f30f7d2d170c0b80e534c592e796bd8ad95654ea
  • 1df6e9705e9ffb3d2c4f1d9ca49f1e27c4bcac13dba75eac9c41c3785a8ca4b1
  • 7c71fb85b94fb4ff06bbaf81d388d97f6e828428ee9f638525d4f6e488e71190
  • 994d20fee2bd05e67c688e101f747a5d17b0352a838af818ad357c8c7a34a766
  • d3dc9cdb106902471ee95016440b855806e8e5dd0f313864e46126fd3ecfe4fe
  • 4ec815b28fe30f61a282c1943885fa81c6e0e98413f5e7f3f89ec6810f3b62a3
  • e0a181318eb881d481d2e4830289ed128006269ace890139f054cf050351500a

Source IP

  • 103[.]11[.]244[.]221
  • 208[.]66[.]132[.]3
  • 69[.]28[.]95[.]50

URL

  • hxxp[:]//103[.]11[.]244[.]221/crawler[.]php
  • hxxp[:]//103[.]11[.]244[.]221/lR[.]php
  • hxxp[:]//208[.]66[.]132[.]3[:]8080/7z[.]dll
  • hxxp[:]//208[.]66[.]132[.]3[:]8080/7z[.]exe
  • hxxp[:]//208[.]66[.]132[.]3[:]8080/_agent[.]7z
  • hxxp[:]//208[.]66[.]132[.]3[:]8080/chk445[.]php
  • hxxp[:]//208[.]66[.]132[.]3[:]8080/Desktop[.]txt
  • hxxp[:]//208[.]66[.]132[.]3[:]8080/dllr0[.]php
  • hxxp[:]//208[.]66[.]132[.]3[:]8080/srchindx2[.]php
  • hxxp[:]//208[.]66[.]132[.]3[:]8080/zlib[.]php
  • hxxp[:]//208[.]66[.]132[.]3[:]8080/ztasklist[.]php
  • hxxp[:]//69[.]28[.]95[.]50[:]180/miwalk[.]txt
  • hxxp[:]//69[.]28[.]95[.]50[:]180/walker14364[.]php
  • hxxp[:]//69[.]84[.]240[.]57[:]180/lR[.]php
  • hxxp[:]//69[.]84[.]240[.]57[:]180/miwalk[.]txt
  • hxxp[:]//69[.]84[.]240[.]57[:]180/walker14364[.]php
  • hxxp[:]//bk1[.]bitspiritfun2[.]net/cgi-bin/prometei[.]cgi
  • hxxp[:]//p1[.]feefreepool[.]net/cgi-bin/prometei[.]cgi
  • hxxps[:]//gb7ni5rgeexdcncj[.]onion/cgi-bin/prometei[.]cgi
  • hxxps[:]//211[.]23[.]16[.]239/prometheus[.]php

Remediation

  • Block the threat indicators at their respective controls.
  • Keep all systems and software patched against all known vulnerabilities.
  • Roll-out multi-factor authentication for all access points.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.