Prometei Botnet Attacking Windows Server to Gain Remote Access and Deploy Malware

A sophisticated attack is targeting Windows Server systems using Prometei, a Russian-linked botnet that has been active since 2016.

This multi-functional malware combines cryptocurrency mining, credential theft, and remote-control capabilities to maintain long-term access to compromised systems.

The Prometei botnet infiltrates systems by exploiting weak or default credentials via Remote Desktop Protocol (RDP). Once attackers gain access, they execute a two-stage deployment command combining Command Prompt and PowerShell.

The attack requires the malware to write an XOR key file (mshlpda32.dll) to the Windows directory, which it then uses to decrypt and execute its main payload.

The malware deploys itself as a Windows service named “UPlugPlay” and copies itself to C:Windowssqhost.exe.

It creates Windows Firewall exceptions and Microsoft Defender exclusions to ensure uninterrupted operation and communication with command-and-control (C2) servers.

Advanced Capabilities and Encryption

Prometei demonstrates sophisticated technical capabilities through multiple layers of encryption.

The malware uses RC4, LZNT1, and RSA-1024 for C2 communications, making detection and analysis challenging.

It collects extensive system information, including computer names, hardware specifications, installed antivirus software, and running processes, using legitimate Windows tools like wmic.exe.

The botnet communicates with C2 servers over both the clear web and the TOR network to maintain privacy.

It employs a rolling XOR key-based cipher to decrypt its code and data sections, with each byte using a unique transformation based on its position.

Prometei expands its capabilities by downloading modules like netdefender.exe, which monitors failed login attempts and blocks other attackers using firewall rules.

This “jealous tenant” behavior ensures exclusive access for Prometei operators by preventing other threat actors from compromising the same system.

Additional modules include Mimikatz variants (miWalk32.exe and miWalk64.exe) for credential harvesting, rdpcIip.exe for lateral movement using default passwords, and windrlver.exe for SSH-based spreading.

The malware also includes TOR proxy modules (msdtc.exe and smcard.exe) to route traffic anonymously.​

Security esentire researchers have developed YARA rules and Python utilities to detect and analyze Prometei infections.

Organizations should implement strong password policies, multi-factor authentication for remote access, account lockout mechanisms, and monitor RDP services for suspicious activity.

The malware’s modular architecture allows continuous evolution, with modules being updated independently.

Endpoint Detection and Response (EDR) solutions are essential for identifying the complex process chains and registry modifications that characterize Prometei infections.

Network monitoring should focus on unusual outbound connections to known C2 infrastructure and TOR exit nodes.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.