A botnet named after Prometheus is also exploiting Exchange Server flaws

The botnet was active just days after the Exchange Server vulnerabilities were announced.
(Getty Images)

Sometimes a glaring new software vulnerability is all that scammers need to revive a trusty hacking scheme. 

Just days after Microsoft announced that suspected Chinese spies were exploiting bugs in Microsoft Exchange Server software in March, Russian-speaking attackers controlling a botnet, or army of compromised computers, used those vulnerabilities to conduct a series of intrusions at companies in North America, according to incident responders at security firm Cybereason.

The hacks, which are among several breaches involving the Exchange Server vulnerabilities, show how the same bugs in widely used software can be used for very different purposes. And the reemergence of the so-called Prometei botnet, named after the Russian word for Prometheus, the Greek god of fire, is a reminder of the many malicious purposes that the zombie computers serve.

Cybereason said it was aware of more than a dozen recent hacking incidents involving the Prometei botnet, which the attackers typically use to generate cryptocurrency. The botnet, first discovered last year, has previously targeted the financial, manufacturing and travel sectors, according to Cybereason.


In this case, the operators of Prometei appear to be solely interested in making money. Botnets, though, are frequently used for multiple purposes, and the Emotet and Trickbot hacking tools are so often used to deploy ransomware that U.S. government agencies and tech companies have tried to disrupt them.

The Prometei administrators have some of the technical groundwork in place should they want to embrace more “destructive payloads,” like ransomware, according to Cybereason. They use EternalBlue, a stolen U.S. National Security Agency hacking tool that allows malicious code to spread from one machine to another. Still, the attackers have confined themselves to using compromised servers to generate the Monero cryptocurrency.  

Ever the opportunists, it’s little surprise that botnet operators were some of the first on the scene when the Exchange Server vulnerabilities were revealed.

“Botnet operators usually want to spread fast and mostly infect machines indiscriminately,” Assaf Dahan, Cybereason’s head of threat research, said in an email.

Dahan and his colleagues make the case that Prometei has been around since 2016, based on a command they found in the malicious code.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts