- A newly discovered Monero-mining botnet is netting a sole hacker around $1,250 per month
- The botnet, codenamed Prometei by Cisco Talos who discovered it, has been running since March
- The script utilizes a host’s computer processing power to mine Monero in the background
A new Monero mining botnet has raked in some $5,000 worth of XMR in four months for its operator, according to cyber intelligence firm Cisco Talos. The malware, a cryptocurrency-mining botnet attack that the group is calling “Prometei”, uses several techniques that antivirus software may not spot and that are not immediately obvious to end-users, with the aim of mining XMR tokens through users’ computers.
Monero Botnet Hacker Flying Under the Radar Since March
Cisco Talos says that the malware employs various methods to spread across the network, including the use of stolen credentials, and also uses several specially crafted tools to help the botnet increase the amount of systems participating in its Monero-mining pool. Cisco Talos states that Prometei has been operational since March this year and so far seems to have gone under the radar.
The botnet consistently achieves between 700KH/sec and 950KH/sec mining power, which Cisco Tados says suggests that the amount of infected systems is “in the low thousands”. The botnet has therefore likely earned the operators just under $5,000 worth of Monero so far, or $1,250 per month, on average. The hacker is likely a “a single developer in Eastern Europe”, which the company says means he doesn’t have to earn a huge amount to live comfortably.
XMR Mining and Password Theft
The Monero-mining malware spreads when the main botnet file is copied from other infected systems by means of the SMB communications protocol, using passwords retrieved by the Mimikatz password-stealing tool. According to Cisco Talos, the botnet has over 15 executable modules that all get downloaded and driven by the main module.
As well as utilizing the host computer’s processing power to mine Monero, Prometei also tries to uncover administrator passwords which are then sent to the botnet’s command center and used to try and hack new hosts. Cisco Talos advises that “defenders need to be constantly vigilant and monitor the behavior of systems within their network.”
