Prometei

Prometei is a modular Linux and Windows botnet family active since at least 2020, historically linked to cryptomining and credential harvesting operations. It spreads via SMB exploit chains (EternalBlue) and SSH brute force, then installs persistent services and beacons to a parent botnet infrastructure via HTTP. MalwareBazaar tags samples as Prometei / wraith. ^[sample e6ce5dd2/mb-metadata.json]

Build / RE

• Format: ELF64 (Linux) or PE32/PE64 (Windows) ^[sample e6ce5dd2/file.txt]
• Packer: UPX 4.x, often tampered post-packing to prevent standard upx -d decompression ^[sample e6ce5dd2/binwalk.txt]
• Compiler: GCC (Ubuntu 9.3.0 observed on ELF builds) ^[sample e6ce5dd2/strings.txt]
• Obfuscation: Stripped symbols, no section headers; embedded cleartext JSON config ^[sample e6ce5dd2/rabin2-info.txt]
• Signing: Unsigned

Deploy / ATT&CK

• Initial Access: Exploitation of Public-Facing Application (SMB/SSH brute force or exploit) — inferrred from historical reporting, not observed in this sample
• Persistence: Creates or modifies systemd service on Linux (*systemd-service-persistence-linux*) ^[sample e6ce5dd2/cape-report.json]
• Defense Evasion: Stripped ELF, UPX packing, hosts file modification ^[sample e6ce5dd2/cape-report.json]
• Discovery: Local system discovery via /proc/self/exe and locale enumeration ^[sample e6ce5dd2/strings.txt]
• C2: Unencrypted HTTP GET to /cgi-bin/p.cgi with bot GUID query parameters ^[sample e6ce5dd2/cape-report.json]
• Impact: Cryptominer payload delivery and botnet expansion

Capabilities

• upx-packing-anti-unpack
• systemd-service-persistence
• hosts-file-modification
• http-cgi-c2-beacon
• base64-exfiltration-over-http
• bot-guid-fingerprint
• config-json-embedded
• proc-self-exe-discovery

Variants / Aliases

• wraith (MalwareBazaar tag)
• Windows variants observed in historical reporting (not in this corpus)

Notable Analyses

• e6ce5dd2d422 — ELF64 UPX-packed systemd dropper