By rssfeeds-admin 
This modular malware grabs remote control, steals credentials, mines Monero crypto, spreads laterally, and locks out rivals with self-defense tricks. It phones home via ClearWeb and TOR for commands.
Attackers likely slipped in via weak Remote Desktop Protocol (RDP) credentials, a common entry point without strong logs or EDR tools. They ran a sneaky elevated command blending cmd and PowerShell:
It first writes a 4-byte XOR key (“12rn”) to C:Windowsmshlpda32.dll. Then PowerShell fetches an encrypted payload from 103.91.90.182, base64-decodes it, applies a rolling XOR decrypt (counter +66 per byte, position tweak: (byte XOR (i*3 & 255) - j) & 255), drops it as C:Windowszsvc.exe, and runs it.
No key file? Prometei fakes benign acts like pinging and dumping systeminfo to C:Windowstempsetup_gitlog.txt then quits. Smart sandbox dodge.
Attack Chain and Persistence
Prometei copies to sqhost.exe, sets it as an auto-start service “UPlugPlay”, carves Windows Firewall holes, adds Defender exclusions for C:Windowsdell, and disables WinRM.
It fingerprints the box using LOLBins (wmic, cmd /c ver) and COM queries for AV products, then registers with C2 at 103.176.111.176.
C2 chats use HTTP GET params: RC4-encrypted data (RSA-1024 wrapped keys), LZNT1 compression, base64 double-wraps.
Prefixes like “E$” flag encryption, “Z$” compression. Params include i (random ID), r (CPU load), add (sysinfo), h (hostname), answ (task replies like process lists).
A batch script in dellwalker_updater.cmd grabs 7-Zip and update.7z (pass: “horhor123”) from 23.248.230.26, unpacking modules:
netdefender.exe: Blocks brute-force IPs via Event ID 4625.rdpcIip.exe: RDP spreader.miWalk*.exe: Mimikatz for creds.windrlver.exe: SSH propagation.- TOR proxies (
msdtc.exe,smcard.exe).
No direct CVEs in this op, but Prometei exploits weak configs tied to these:
| CVE ID | Description | CVSS | Affected Windows Versions |
|---|---|---|---|
| CVE-2022-24500 | Stack buffer overflow in CLFS driver | 7.8 | Win 7-11, Server 2008-2022 |
| CVE-2021-36934 | Win32k elevation via HiveNightmare | 7.8 | Win 10/Server 2019 |
| CVE-2019-0708 | RDP BlueKeep remote code exec | 9.8 | Win 7/Server 2008 |
Sample SHA256: 8d6f833656638f8c1941244c0d1bc88d9a6b2622a4f06b1d5340eac522793321.
Patch RDP vulns, enforce MFA/complex passphrases, lock accounts after fails, ban LOLBins with AppLocker, deploy EDR/MDR. eSentire isolated the host and aided cleanup check their Yara rule for hunts.
Prometei shows botnets evolving: exclusive access via defender modules keeps it sticky. Stay vigilant on servers.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Prometei Botnet Targets Windows Servers to Gain Remote Access and Deploy Malware appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.