Coinminer botnet exploits SMB: Coiminer/Prometei

A new variant of coinminer dubbed as Prometei is found to be in the wild since march this year providing financial benefits to the attacker by mining the Monero online currency on infected Windows machines.

It spreads with botnet binaries being copied from other infected systems via Windows SMB (Server Message Block), using passwords retrieved with Mimikatz (an open-source application that allows users to view authentication credentials) and EternalBlue (an exploit that allows cyber threat actors to remotely execute arbitrary code and gain access to a network by sending specially crafted packets). The malware steals administrator credentials and sends them to the attackers, which could be used on future attacks.

The malware executes the powershell script after exploiting SMB via brute forcing. Powershell script downloads and saves binary files in C:\windows\dell\ directory.

The malware binary on execution checks for existence of directory C:\windows\dell\ to create it. It also checks for the existence of service UPlugPlay, before copying itself as “c:\windows\svchost.exe” and adds a service (command line) under the name UPlugPlay with the copied binary. Then it tries to connect to the attackers CnC server via RC4 encrypted HTTP. The RC4 key used for encryption is generated uniquely for every machine and it is shared with the attacker’s CnC server.

The malware collects the following information from the infected systems and sends them to the attacker,

  • Machine name
  • Processor name
  • Memory size
  • System model
  • Domain name
  • OS Installation date
  • OS Serial number

Then it waits for commands from the CnC server, allowing the attacker to remotely control the infected machines. The commands and the actions done by the malware are,

It executes Mimikatz tool to steal the credentials.The stolen credentials are used to spread the malware to other machines via SMB protocol. It uses psexec tool to remotely execute the malware copied via SMB on other machines. if the attempt to copy files using SMB fails it uses EternalBlue to exploit and spread.

It downloads and executes XMRig, an open sourced Monero CPU Miner. The miner could be controlled by the attacker via commands issued to backdoor module.

Arctos Networks detects the malware as Coinminer/Prometei.

If you find traces of this malware in your IT infrastructure you can contact our technical response team to remove the threats for your network.