Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Multifunctional “Proteus” Malware Emerges

A recently observed piece of multifunctional malware can be used to mine for crypto-currencies, log user keystrokes, and download additional malware onto compromised machines, Fortinet security researchers have discovered.

A recently observed piece of multifunctional malware can be used to mine for crypto-currencies, log user keystrokes, and download additional malware onto compromised machines, Fortinet security researchers have discovered.

Dubbed Proteus, this threat has been written in .NET and is being distributed through the Andromeda botnet. The malware, Fortinet researchers say, can act as a proxy, but its authors can also use it as an e-commerce merchant account checker, coin miner, keylogger, and malware downloader.

The malware, which functions as a botnet, was observed using encryption to secure all communications with its command and control (C&C) center. The symmetrical algorithm used for encrypting the communications is also used to encrypt all of the strings used in the botnet, the security researchers explain.

Once installed with a process running, the malware registers with the C&C sever by sending an initial registration message containing various details about the infected machine, including processor, BIOS and baseboard information. The bot, researchers say, comes with a hardcoded default fingerprint, which is always overwritten by the above-mentioned data, which also acts as a unique identifier for the infected machine. 

“The fingerprint is included in the HTTP header in the authorization field. MachineName is retrieved by calling the Win32 API GetComputerName, OperatingSystem is the OS architecture x64 or x86. The BotVersion is obtained from the assembly version that the code is executing in,” Fortinet explained.

To this initial registration message, the C&C server responds with an encrypted string that reads “successful.” Next, the bot continues to beacon to the server constantly, to make sure it is live and to carry out other malicious actions.

The malware was observed creating six threads for different tasks: SocksTask – creates a socket and sets up port forwarding; MiningTask – appears to mine digital currency using SHA256 miner; EMiningTask – supposedly mining using CPUMiner and ZCashMiner; CheckerTask – validates given accounts; CommandsTask – kills current process or downloads and executes an executable on request; and LoggerTask – sets up keylogger.

The bot checks with the server during the crypto-mining runtime to determine which miner it should use for the mining operations. This is why it creates two threads for mining digital currency, each for different miner.

“The Proteus botnet has a combination of features including coin miner, proxy server, keylogger, and many more. It is also capable of downloading and executing a file. All of this in one botnet may be even more harmful than one might first think, as it could download anything and execute it in the infected host. Our team will continue to monitor this botnet family and provide more information as it comes to light,” Fortinet’s researchers said.

Related: Battling the Botnet Armies

Related: Self-Spreading Linux Trojan Creates P2P Botnet

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...