Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Multifunctional “Proteus” Malware Emerges

A recently observed piece of multifunctional malware can be used to mine for crypto-currencies, log user keystrokes, and download additional malware onto compromised machines, Fortinet security researchers have discovered.

A recently observed piece of multifunctional malware can be used to mine for crypto-currencies, log user keystrokes, and download additional malware onto compromised machines, Fortinet security researchers have discovered.

Dubbed Proteus, this threat has been written in .NET and is being distributed through the Andromeda botnet. The malware, Fortinet researchers say, can act as a proxy, but its authors can also use it as an e-commerce merchant account checker, coin miner, keylogger, and malware downloader.

The malware, which functions as a botnet, was observed using encryption to secure all communications with its command and control (C&C) center. The symmetrical algorithm used for encrypting the communications is also used to encrypt all of the strings used in the botnet, the security researchers explain.

Once installed with a process running, the malware registers with the C&C sever by sending an initial registration message containing various details about the infected machine, including processor, BIOS and baseboard information. The bot, researchers say, comes with a hardcoded default fingerprint, which is always overwritten by the above-mentioned data, which also acts as a unique identifier for the infected machine. 

“The fingerprint is included in the HTTP header in the authorization field. MachineName is retrieved by calling the Win32 API GetComputerName, OperatingSystem is the OS architecture x64 or x86. The BotVersion is obtained from the assembly version that the code is executing in,” Fortinet explained.

To this initial registration message, the C&C server responds with an encrypted string that reads “successful.” Next, the bot continues to beacon to the server constantly, to make sure it is live and to carry out other malicious actions.

The malware was observed creating six threads for different tasks: SocksTask – creates a socket and sets up port forwarding; MiningTask – appears to mine digital currency using SHA256 miner; EMiningTask – supposedly mining using CPUMiner and ZCashMiner; CheckerTask – validates given accounts; CommandsTask – kills current process or downloads and executes an executable on request; and LoggerTask – sets up keylogger.

The bot checks with the server during the crypto-mining runtime to determine which miner it should use for the mining operations. This is why it creates two threads for mining digital currency, each for different miner.

Advertisement. Scroll to continue reading.

“The Proteus botnet has a combination of features including coin miner, proxy server, keylogger, and many more. It is also capable of downloading and executing a file. All of this in one botnet may be even more harmful than one might first think, as it could download anything and execute it in the infected host. Our team will continue to monitor this botnet family and provide more information as it comes to light,” Fortinet’s researchers said.

Related: Battling the Botnet Armies

Related: Self-Spreading Linux Trojan Creates P2P Botnet

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.