A new malicious called Prometei has been determined, that including Exchange servers have ProxyLogon vulnerability to cryptocurrency network. Prometei is a modular malicious code and has different features like credential dumping, usage of the system for cryptocurrency minning, and lateral movement. Prometei has two different versions for both Windows and GNU/Linux.
Prometei exploits the ProxyLogon vulnerabilities (CVE-2021-27065 and CVE-2021-26858) and uploads China Chopper web Shell. After uploading China Chopper, attackers downloads the zsvc.exe on the victim’s machine with PowerShell. After gaining persistence, another malicious file called sqhost.exe is downloade by attacker. With sqhost.exe, attackers can use the victim system for Monero minning with using XMRig open source code. However, Prometei uses Mimikatz for lateral movement.
A more detailed investigation of Prometei can be found on the cybereason blog page. It looks like threat actors still keep using Prometei. To avoid of this risk, exchange vulnerabilities need to be eliminated fastly, and these IoCs can be used to detect and prevent Prometei.
IoCs:
File Hashs – SHA256
f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4
D8e3e22997533300c097b47d71feeda51dca183c35a0d818faa12ee903e969d5
b0e743517e7abf75a80b81bb7aadc9c166ac47ba89c0654ba855dda1e4d96c3e
55fc69a7e1b2371d8762be0b4f403d32db24902891fdbfb8b7d2b7fd1963f1b4
e4bd40643f64ac5e8d4093bddee0e26fcc74d2c15ba98b505098d13da22015f5
fb8f100e646dec8f19cb439d4020b5f5f43afdc2414279296e13469f13a018ca
e961c07d534bc1cb96f159fce573fc671bd188cef8756ef32acd9afb49528331
2f114862bd999c38b69b633488bcbb6c74c9a11e28b7ef335f6c77bba32ed2d6
5de7afdde08f7b8ba705c8332c693747d537fd5b1bb0e7b0c757c0f364a60eb8
dc73a88f544efc943da73c9f6535facdb61800f6205ad3dddb9adb7c6ab229ab