"Prometei Botnet Evolves and Infected +10,000 Systems since November 2022"

According to researchers at Cisco Talos, the Prometei botnet has infected over 10,000 devices worldwide since November 2022. The structure of the cryptocurrency mining botnet is modular, and it uses different methods to infect devices and avoid detection. Cisco Talos first observed the Prometei botnet in July 2020. An analysis of artifacts uploaded to VirusTotal enabled analysts to conclude that the botnet may have been operational since at least May 2016. Researchers noted that the malware's developers implemented new modules and functionalities on a consistent basis. Cisco Talos confirms that the Prometei botnet continues to enhance its modules and demonstrate new capabilities as a result of recent changes. Some submodules of the execution chain were updated by the botnet operators in order to automate activities and make it more difficult to successfully apply forensic analysis techniques. Based on data gathered by sinkholing the Domain Generating Algorithm (DGA) domains for one week in February 2023, Cisco Talos estimates with high confidence that version 3 of the Prometei botnet is of medium size, with more than 10,000 infected devices worldwide. The most recent release includes previously undocumented features, including an alternate command-and-control (C2) DGA and a self-updating method. The new variant combines a version of the Apache Webserver with a web shell that is launched onto victim hosts. This article continues to discuss the new version of the Prometei botnet that has infected over 10,000 systems worldwide since November 2022. 

Security Affairs reports "Prometei Botnet Evolves and Infected +10,000 Systems since November 2022"