Prometei

Prometei is a sophisticated malware that exploits vulnerabilities such as BlueKeep (CVE-2019-0708) and Microsoft Exchange Server (CVE-2021-27065 and CVE-2021-26858), in addition to using PowerShell scripts to retrieve payloads. The botnet, named after the Russian translation for Prometheus, indicating a possible cultural connection, has demonstrated its complexity and persistence in compromised environments. Prometei's primary propagation method involves exploiting Remote Desktop Protocol (RDP) and Server Message Block (SMB) vulnerabilities, utilizing Windows Management Instrumentation (WMI) and lateral movement tactics to spread rapidly within systems. The detection of Prometei malware was achieved through a combination of Incident Response, Threat Intelligence, and Managed Extended Detection and Response (MXDR), providing a comprehensive understanding of the botnet and its potential impact on compromised networks. In one notable incident, the botnet was used in an attempt to infiltrate a customer’s system via a targeted brute force attack. This highlights the aggressive nature of Prometei and its threat to network security. Despite efforts to identify them, the threat actors behind Prometei remain largely unknown, although evidence suggests they are Russian-speaking individuals. One of Prometei's unique features is its use of Domain Generation Algorithms (DGAs), which create numerous random domain names. This allows Prometei to maintain communication with an attacker’s server even when some domains are blocked, further demonstrating its resilience and potential for damage.