The Prometei botnet has returned in a new global campaign and has already infected 10,000 devices in 155 countries, with the number of breaches growing by the day.
The modular malware that has been around since 2016 has been spotted in a new campaign by researchers of the Cisco Talos team, who report that the botnet operators are using a new, upgraded variant that appears to be its third major release.
The notable additions in the new version include a domain-generating algorithm (DGA), a self-updating mechanism, and a new way to gain access to target devices using an Apache web server pre-loaded with a web shell.
Prometei Targets and Goal
Prometei’s current victimology isn’t focused but somewhat random and opportunistic, so the botnet may breach anything from the computers of big organizations to personal home PCs.
Regarding the targeted countries, only Russia is exempted from infections in the ongoing campaign, indicating that the threat actors are Russians or affiliated with Russia. The countries that have suffered the larger number of infections so far are the United States, China, Brazil, India, Singapore, France, Italy, and India.
Map showing Prometei victim concentration
The botnet’s primary goal is to hijack its victims’ available computational resources to mine Monero. This cryptocurrency is very popular among cybercriminals because it is very hard for law enforcement authorities to trace it. (This is discussed more in our guide on private and anonymous payments.)
However, Talos also observed Prometei engaging in credential harvesting activity, using the