Prometei, a Russian-affiliated botnet that has been active since 2016, was discovered by eSentire's Threat Response Unit (TRU) attacking a Windows server belonging to a construction company. This modular malware spreads laterally, mines Monero crypto, steals credentials, seizes remote control, and uses self-defense techniques to shut out competitors. It calls home for instructions using TOR and ClearWeb.

In the absence of robust logs or EDR tools, attackers most likely gained access by using weak Remote Desktop Protocol (RDP) credentials. They used a cunning elevated command that combined PowerShell and cmd: A 4-byte XOR key ("12\r\n") is first written to C:\Windows\mshlpda32.dll.

After that, PowerShell retrieves an encrypted payload from 103.91.90.182, base64-decodes it, applies a rolling XOR decrypt (counter +66 per byte, position tweak: (byte XOR (i*3 & 255)

  • j) & 255), drops it as C:\Windows\zsvc.exe, and executes it. Not a key file? Pinging and dumping system information to C:\Windows\temp\setup_gitlog.txt are examples of harmless actions that Prometei impersonates before terminating. clever sandbox avoidance. Attack Chain and Persistence Prometei adds Defender exclusions for C:\Windows\dell, disables WinRM, creates Windows Firewall holes, copies to sqhost.exe, and configures it as an auto-start service called "UPlugPlay." After using LOLBins (wmic, cmd /c ver) and COM queries for AV products to fingerprint the box, it registers with C2 at 103.176.111.176. HTTP GET parameters used in C2 chats include base64 double-wraps, LZNT1 compression, and RC4-encrypted data (RSA-1024 wrapped keys).

Prefixes such as "E$" indicate encryption and "Z$" indicate compression. Among the parameters are i (random ID), r (CPU load), add (sysinfo), h (hostname), and answ (task replies such as process lists). Dell\walker_updater.cmd contains a batch script that updates 7-Zip.7z (pass: “horhor123”) from 23.248.230.26, unpacking modules: rdpcIip.exe: RDP spreader.

miWalk*; netdefender.exe: Blocks brute-force IPs via Event ID 4625.Windrlver.exe: SSH propagation; exe: Mimikatz for credentials. TOR proxies (smcard.exe, msdtc.exe). This operation has no direct CVEs, but Prometei takes advantage of configuration flaws linked to these: Description of the CVE ID Windows Versions Affected by CVSS CVE-2022-24500 CLFS driver stack buffer overflow 7.8 Win 7-11, CVE-2021-36934, Server 2008-2022 HiveNightmare 7.8 Win 10/Server 2019 CVE-2019-0708 elevation of Win32k Sample SHA256 for RDP BlueKeep remote code exec 9.8 on Windows 7/Server 2008 is 8d6f833656638f8c1941244c0d1bc88d9a6b2622a4f06b1d5340eac522793321.

Fix RDP flaws, implement MFA and complex passphrases, lock accounts after unsuccessful attempts, use AppLocker to ban LOLBins, and implement EDR/MDR. In order to help with cleanup and enforce their Yara rule for hunts, eSentire isolated the host. Botnet evolution is demonstrated by Prometei; exclusive access through defender modules keeps it sticky.

Keep an eye out for servers.