Botnets, generally, are used by attackers to perform automated tasks such as attacking other systems or hijacking their resources for malicious purposes. However, some actors have altered its behavior in recent times. The modern version of botnets can steal and validate credentials, posing a greater threat to organizations under attack.
Lately, Cisco Talos spotted a cryptocurrency-mining botnet doing a similar thing.
Researchers found a multi-modular botnet campaign—active since March 2020—using multiple ways to spread the payload dubbed Prometei to provide financial benefits to the attacker by mining the Monero online currency. So far, it only generates $1,250 per month on average.
How does it work?
- The botnet actors use copied botnet files from other infected systems by means of Windows Server Message Block (SMB), using passwords retrieved by a modified Mimikatz module and exploits, such as EternalBlue.
- Several crafted tools help the botnet to increase the number of infected systems for Monero-mining. In total, the botnet has more than 15 executable modules that are downloaded and controlled by the main module.
- The attackers can perform various activities such as executing programs and commands; launching command shells; opening, downloading, and stealing files; and launching cryptomining operations, among other functions.
Recent Windows SMB exploit attacks
In the recent past, many malware have been observed exploiting Microsoft Windows SMB protocol to mine cryptocurrency.
- In May 2020, a cryptocurrency-mining malware operated by the Blue Mockingbird group attempted to spread internally via weakly-secure RDP (Remote Desktop Protocol) or SMB (Server Message Block) connections.
- In April 2019, a malware campaign used the EternalBlue exploit (to target the SMBv1 protocol) and took advantage of Living off the Land obfuscated PowerShell-based scripts to drop Trojans and XMRig Monero crypto miner on compromised machines.
While the behavior of botnets is worrying, enterprises need to ensure that none of their credentials are leaked to the command and control server. Thus, it is need of the hour that every system is monitored constantly for even a small crack in common applications. Security experts advise organizations to use intrusion detection/prevention tools to detect the presence of threats in their infrastructure.