Identifying the Threat Group
The threat actors behind Prometei remain largely unidentified, but evidence suggests they are Russian-speaking individuals. The name “Prometei,” derived from the Russian translation for Prometheus, hints at a cultural connection.
Older versions of the malware dating back to 2016 contained remnants of Russian language settings, such as an unedited “product name” in the main bot module and a language code indicating Russian.
Furthermore, Prometei appears to avoid infecting other Russian speakers, as observed in the behavior of some of its modules. One of these notable features is the integration with a Tor client, which facilitates communication with a Tor C&C server while avoiding certain exit nodes in the former Soviet Union. Additionally, another component, nvsync.exe, checks for stolen credentials and deliberately avoids targeting accounts labeled “Guest” and “Other user” (in Russian), further suggesting a focus on specific targets.
Conclusion
Our investigation into the Prometei attack reveals the botnet’s complexity and persistence in compromised environments. Utilizing WMI and lateral movement tactics, Prometei rapidly spreads by exploiting SMB and RDP vulnerabilities. Key components like sqhost.exe and miwalk.exe facilitate credential harvesting and connections to command-and-control servers. The presence of encoded payloads, Base64-obfuscated PowerShell commands, and firewall modifications underscores the attackers’ efforts to evade detection and maintain persistence.
Incorporating MXDR services into our investigation enhanced real-time monitoring and event correlation, boosting the ability to detect and respond to malicious activities early in the attack lifecycle. By combining Incident Response, Threat Intelligence, and MXDR, we gained a comprehensive understanding of the Prometei botnet and its potential impact on the compromised network. This investigation highlights the importance of proactive detection and response, showing how the right solutions and intelligence (as facilitated by Trend Vision One) can reduce dwell time and protect against advanced threats.
Trend Micro Vision One Threat Intelligence
To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and respond effectively to threats.
Trend Micro Vision One Intelligence Reports App [IOC Sweeping]
Unmasking Prometei: A Deep Dive Into Our MXDR Findings
Trend Micro Vision One Threat Insights App
Emerging Threats: Unmasking Prometei: A Deep Dive Into Our MXDR Findings
Hunting Queries
Trend Micro Vision One Search App
Trend Micro Vision Once Customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
Detection of PROMETEI Malware
malName:* PROMETEI* AND eventName:MALWARE_DETECTION
More hunting queries are available for Vision One customers with Threat Insights Entitlement enabled
Indicators of Compromise
The full list of IOCs can be found here