A botnet named after Prometheus jumps is also exploiting Exchange Server flaws

Written by

Sometimes a glaring new software vulnerability is all that scammers need to revive a trusty hacking scheme. 

Just days after Microsoft announced that suspected Chinese spies were exploiting bugs in Microsoft Exchange Server software in March, Russian-speaking attackers controlling a botnet, or army of compromised computers, used those vulnerabilities to conduct a series of intrusions at companies in North America, according to incident responders at security firm Cybereason.

The hacks, which are among several breaches involving the Exchange Server vulnerabilities, show how the same bugs in widely used software can be used for very different purposes. And the reemergence of the so-called Prometei botnet, named after the Russian word for Prometheus, the Greek god of fire, is a reminder of the many malicious purposes that the zombie computers serve.

Cybereason said it was aware of more than a dozen recent hacking incidents involving the Prometei botnet, which the attackers typically use to generate cryptocurrency. The botnet, first discovered last year, has previously targeted the financial, manufacturing and travel sectors, according to Cybereason.

In this case, the operators of Prometei appear to be solely interested in making money. Botnets, though, are frequently used for multiple purposes, and the Emotet and Trickbot hacking tools are so often used to deploy ransomware that U.S. government agencies and tech companies have tried to disrupt them.

The Prometei administrators have some of the technical groundwork in place should they want to embrace more “destructive payloads,” like ransomware, according to Cybereason. They use EternalBlue, a stolen U.S. National Security Agency hacking tool that allows malicious code to spread from one machine to another. Still, the attackers have confined themselves to using compromised servers to generate the Monero cryptocurrency.  

Ever the opportunists, it’s little surprise that botnet operators were some of the first on the scene when the Exchange Server vulnerabilities were revealed.

“Botnet operators usually want to spread fast and mostly infect machines indiscriminately,” Assaf Dahan, Cybereason’s head of threat research, said in an email.

Dahan and his colleagues make the case that Prometei has been around since 2016, based on a command they found in the malicious code.