Lurking in the hidden corners of the internet, the Prometei botnet has quietly spread its reach across continents, infecting over 10,000 computers in countries from Brazil to Germany. Despite its origins going back to 2016, Prometei largely evaded notice until 2020, when researchers discovered its silent campaign. What makes this botnet so dangerous is that it targets computers with aged software that are left vulnerable and accesses them through openings to use unknowing machines for underground cryptomining. Prometei takes control of cryptographic mining power like a pervasive thief stealing gas from a magnetically locked car. Meanwhile, its developers deliberately restrict attacking only one area: Russia and its neighbouring regions. Today, both officials and business representatives have to reckon with the fact that the invasion of Prometei into the systems of its victims is calm but quite effective and also signals the need, once again, to be ready to face cyber threats.
Prometei’s strength lies in targeting outdated, unpatched software, especially systems like Microsoft Exchange. Think of it as a digital thief sneaking through an unlocked door rather than breaking down a well-guarded entrance. Its entry is not subtle; the botnet starts with repeated failed login attempts, signalling it is probing for weaknesses. Once inside, it exploits old vulnerabilities, such as the BlueKeep and EternalBlue bugs, which many organizations have yet to address.
Prometei engages in clever tactics when establishing control for the process of strengthening the ownership. For example, it makes attempts to conceal its actual presence by setting certain passwords to be stored in memory in plain text and giving instructions to Windows Defender to ignore its harmful files. It is specifically interested in cryptojacking, which allows it to secretly extract Monero cryptocurrency from the infected computer’s resources, making it run slowly and consume more energy without permission from its owner.
For example, consider leaving your car dual with its engine running, with no idea anything is going on. Imagine someone blows the horn, and you come out only to see a fuel smell, and it turns out someone has siphoned out your fuel. In the same way, Prometei is mining Monero by performing the other way around: instead of outselling their product, they have damaged the computing power from a large number of infected systems. Its footprint is everywhere, though it specifically avoids regions with Russian speakers and that hints at it being a Russian offering.
In the case of Prometei, the combination of its resoluteness and global scope is an optimistic progress for organizations to take on board relevant and timely software updates and conduct security checks in further eliminating such threats.
