Prometei Botnet Exploits Legacy Systems to Mine Cryptocurrency
The eight-year-old botnet “Prometei” continues to infect systems worldwide, spreading cryptojacking programs and web shells. First discovered in 2020, research data indicates that it has been active since 2016. Over this period, it has infiltrated more than 10,000 computers in countries such as Brazil, Indonesia, Turkey, and Germany.
“Prometei” actively exploits vulnerabilities in widely used software, infiltrating systems with insufficient protection. According to Callie Gunther, Threat Research Manager at Critical Start, the botnet spreads through weak configurations and unsecured servers. It targets regions with low levels of cybersecurity, circumventing geographical restrictions and capitalizing on systemic weaknesses.
A recent report from Trend Micro describes how “Prometei” initially operates rather clumsily, making numerous failed login attempts, but then stealthily exploits outdated vulnerabilities. One such vulnerability is BlueKeep, which allows remote code execution and is still found in legacy RDP systems. It also uses EternalBlue to propagate through the SMB protocol and attempts to bypass security through ProxyLogon, identifying unprotected Exchange servers.
The botnet’s goal is to find systems that have not been regularly updated. According to Mayuresh Dani, an expert from Qualys, “Prometei” primarily seeks easy targets. This approach allows attackers to minimize resistance and extract maximum value from unprotected resources.
Once inside a system, the botnet uses a Domain Generation Algorithm (DGA) to maintain contact with command-and-control servers, even if some domains are blocked. The program also forcibly enables the obsolete WDigest protocol to retrieve plaintext passwords and bypasses Windows Defender by excluding key libraries from scans.
“Prometei’s” main objective remains the covert mining of Monero cryptocurrency on compromised devices. Additionally, the botnet installs a web shell through the Apache server, enabling attackers to upload additional files and execute arbitrary commands.
Researchers note that the presence of cryptominers, as seen in Prometei campaigns, may signal more severe attacks. As mentioned by Steven Hilt of Trend Micro, botnets often herald other threats, as observed with LemonDuck, which combined cryptojacking with ransomware.
The name “Prometei” references the mythological Prometheus, whose liver regenerated daily after being attacked by an eagle—symbolically reflecting the botnet’s resilience, even after attempts to eradicate it.
