Prometei botnet improves modules and exhibits new capabilities in recent updates

MITRE Techniques

• [T1584.005] Compromise Infrastructure: Botnet – The actors maintain and expand a botnet infrastructure to host and distribute payloads. “Resource Development” – “Prometei operators… continuously updating and expanding Prometei’s modules.”
• [T1059.001] Command and Scripting Interpreter: PowerShell – The execution chain begins with a malicious PowerShell command that downloads the primary module. “malicious PowerShell command that downloaded the primary listening and execution module, referred to throughout as “sqhost.exe.””
• [T1569.002] System Services: Service Execution – Persistence via a Windows service named “UPlugPlay” that runs sqhost.exe. “persistence is obtained by creating an automated system service named ‘UPlugPlay’.”
• [T1505.003] Server Software Component: Webshell – Dropping a bundled Apache Webserver with a PHP-based web shell on victims. “bundled version of the Apache Webserver with a web shell deployed onto victim hosts.”
• [T1027] Obfuscated Files or Information – The primary module is downloaded in encrypted form using XOR obfuscation. “encrypted form through a simple XOR byte alteration pattern.”
• [T1036] Masquerading – Files are renamed (e.g., zsvc.exe to sqhost.exe) to blend with legitimate processes. “The original downloaded file is then renamed from ‘zsvc.exe’ to ‘sqhost.exe’.”
• [T1070.004] Indicator Removal on Host: File Deletion – Install/update flow deletes older module instances before replacing them. “deletes all current versions of the target files on disk and then renames the extracted versions.”
• [T1140] Deobfuscate/Decode Files or Information – Payloads are deobfuscated/decrypted as part of execution. “Deobfuscate/Decode Files or Information” – content describes decoding steps (e.g., XOR decoding).
• [T1562] Impair Defenses – Defense evasion via firewall rule manipulation to allow malicious components. “firewall rule named ‘Secure Socket Tunneling Protocol (HTTP)’ … to add ‘C:Windows…sqhost.exe’ to the allowed programs list.”
• [T1210] Exploitation of Remote Services – Lateral movement using SMB/SMB-based spreaders and Mimikatz-based credential theft. “spreader program through Server Message Block (SMB) and is used alongside its partner component ‘miwalk.exe’ … A remote desktop protocol (RDP)-based spreading module, ‘bklocal2.exe’ and ‘bklocal4.exe’.”
• [T0884] Connection Proxy – C2 communications via Tor network and onion addresses. “the C2’s Tor address represented by the hardcoded URL in sqhost.exe and ‘onion’ TLD: … .onion/cgi-bin/prometei.cgi”.
• [T1090.003] Proxy: Multi-hop Proxy – Tor-based multi-hop proxy used for C2 communications. “Tor configuration” mentioning exit-node exclusion/inclusion.
• [T1105] Ingress Tool Transfer – Modules and payloads are downloaded from the C2 server (e.g., sqhost.exe, 7z archives, etc.). “downloaded from a C2 server.”