Unmasking Prometei: A Deep Dive Into Our MXDR Findings

    Thursday, October 24, 2024 In: Threat Research Print

    Date: 10/24/2024

    Severity: Medium

    Summary

    "Unmasking Prometei: A Deep Dive Into Our MXDR Findings" examines the Prometei botnet, active since 2016, which focuses on cryptocurrency mining and credential theft. By early 2023, it had compromised over 10,000 systems, particularly in Brazil, Indonesia, and Turkey. The report details its use of a domain generation algorithm, exploitation of vulnerabilities like BlueKeep and Microsoft Exchange, and self-updating features for persistence. It emphasizes the necessity of advanced MXDR strategies to effectively counter this evolving threat.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://103.40.123.34/k.php?B=_AMD64,PSDN0020,504K45A188441R4UE

    http://103.41.204.104/7z32.dll

    http://103.41.204.104/srch.7z

    https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi?r=9&i=N8Q4Y90O9T4MXH

    http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero/cgi-bin/prometei.cgi

    p2.feefreepool.net

    IP Address

    196.7.210.6 

    196.7.209.178

    196.7.210.160

    88.198.246.242

    187.79.243.171

    103.41.204.104 

    155.207.200.242 

    134.88.5.200:22 

    103.41.204.104

    142.4.205.155

    89.163.213.192

    145.239.200.92

    103.41.204.104

    45.194.35.180

    88.198.246.242

    145.239.200.92

    Hash

    39b1042a5b02f3925141733c0f78b64f9fae71a37041c6acc9a9a4e70723a0f1

ea8cde21792543d7e55dd9a2a894c3cd4fc4fabaeab20ba689b84416c20a6e37

a1b3e8de2855b274edd9e6f7d7798e3cefe1aae8697568d333e00979054ecf58

01bee3bb01f34f8da926c6b83980958166f1b10d00a923deb87361e9f34bcd83

82c19c95f70c2a67be8a4914ed6c6b79b84aef3c1d65fefe85f90d89538bbe23

25dc9c2a2d31c42c63de0ed247784e33ea31f140d8035ac2141cb46f25eaefd4

a546c3defb20bb18205b19c5218795fa9c6388d2e2ec3e65707b4e7afaeac0e1

44458197aafcb273b91f90a8cc55078b318e4f8a0384303acd1a5b3c13ff1ee0

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "http://103.40.123.34/k.php?B=_AMD64,PSDN0020,504K45A188441R4UE" or url like "http://103.40.123.34/k.php?B=_AMD64,PSDN0020,504K45A188441R4UE" or userdomainname like "http://103.41.204.104/7z32.dll" or url like "http://103.41.204.104/7z32.dll" or userdomainname like "http://103.41.204.104/srch.7z" or url like "https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi?r=9&i=N8Q4Y90O9T4MXH" or url like "https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi?r=9&i=N8Q4Y90O9T4MXH" or userdomainname like "http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero/cgi-bin/prometei.cgi" or url like "http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero/cgi-bin/prometei.cgi" or userdomainname like "p2.feefreepool.net" or url like "p2.feefreepool.net"

    Detection Query 2

    dstipaddress IN ("196.7.210.6","196.7.209.178","196.7.210.160","88.198.246.242","187.79.243.171","103.41.204.104","155.207.200.242","134.88.5.200:22","103.41.204.104","142.4.205.155","89.163.213.192","145.239.200.92","103.41.204.104","45.194.35.180","88.198.246.242","145.239.200.92") or ipaddress IN ("196.7.210.6","196.7.209.178","196.7.210.160","88.198.246.242","187.79.243.171","103.41.204.104","155.207.200.242","134.88.5.200:22","103.41.204.104","142.4.205.155","89.163.213.192","145.239.200.92","103.41.204.104","45.194.35.180","88.198.246.242","145.239.200.92") or publicipaddress IN ("196.7.210.6","196.7.209.178","196.7.210.160","88.198.246.242","187.79.243.171","103.41.204.104","155.207.200.242","134.88.5.200:22","103.41.204.104","142.4.205.155","89.163.213.192","145.239.200.92","103.41.204.104","45.194.35.180","88.198.246.242","145.239.200.92") or srcipaddress IN ("196.7.210.6","196.7.209.178","196.7.210.160","88.198.246.242","187.79.243.171","103.41.204.104","155.207.200.242","134.88.5.200:22","103.41.204.104","142.4.205.155","89.163.213.192","145.239.200.92","103.41.204.104","45.194.35.180","88.198.246.242","145.239.200.92")

    Detection Query 3

    sha256hash IN ("39b1042a5b02f3925141733c0f78b64f9fae71a37041c6acc9a9a4e70723a0f1","ea8cde21792543d7e55dd9a2a894c3cd4fc4fabaeab20ba689b84416c20a6e37","a1b3e8de2855b274edd9e6f7d7798e3cefe1aae8697568d333e00979054ecf58","01bee3bb01f34f8da926c6b83980958166f1b10d00a923deb87361e9f34bcd83","82c19c95f70c2a67be8a4914ed6c6b79b84aef3c1d65fefe85f90d89538bbe23","25dc9c2a2d31c42c63de0ed247784e33ea31f140d8035ac2141cb46f25eaefd4","a546c3defb20bb18205b19c5218795fa9c6388d2e2ec3e65707b4e7afaeac0e1","44458197aafcb273b91f90a8cc55078b318e4f8a0384303acd1a5b3c13ff1ee0")

    Reference: 

    https://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html   


    Tags

    MalwarePrometeiBotnet

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.