A new cryptocurrency-mining botnet attack called Prometei bypasses detection systems and monetizes its campaigns in less intrusive ways.

It is the first time that anyone’s documented a multi-modular botnet, according to Talos, which discovered the botnet and dubbed it “Prometei.” The botnet, which has been active since March, spreads a payload to provide financial benefits for the attackers by mining Monero for a single developer – also the actor – most likely in Eastern Europe.

Talos in a new report said defenders are likely to spot the botnet, but the infection likely won’t be obvious to end-users. The discovery resulted from Talos investigating telemetry information it received from Cisco AMP for Endpoints’ install base.

After studying its activities over the past two months, Talos believes the actor has used different methods to spread Prometei through a network to gain credentials and Windows Management Instrumentation (WMI) and Server Message Block (SMB) exploits. The adversary also uses several crafted tools that help the botnet increase the amount of systems participating in its Monero-mining pool.

The infection starts with the main botnet file, which is copied from other infected systems by means of SMB, using passwords retrieved by a modified Mimikatz module and exploits such as Eternal Blue.

Talos said the botnet appears to be aware of the latest SMB vulnerabilities, such as SMBGhost, but it did not find evidence of that exploit being utilized. Prometei has more than 15 executable modules that all get downloaded and driven by the main module, which constantly communicates with the command and control (C2) server over HTTP.

The botnet uses techniques of the MITRE ATT&CK framework, most notably T1089 (Disabling Security Tools), T1105 (Remote File Copy), T1027 (Obfuscated Files or Information), T1086 (PowerShell), T1035 (Service Execution), T1036 (Masquerading) and T1090 (Connection Proxy).