Advisory ID: ngCERT-2025-110002
SUMMARY
ngCERT is aware of widespread malicious activities linked to the Prometei botnet affecting multiple network infrastructures within Nigeria’s cyberspace. Prometei is a modular malware that targets Windows and Linux servers for credential theft, cryptocurrency mining, and proxy exploitation. Reports indicate that the malware exploits unpatched systems, weak authentication, and exposed services such as Server Message Block (SMB) and Remote Desktop Protocol (RDP). Notably, infections have been observed across finance, education, telecommunications and energy sectors, with implications for prolonged network compromise, large-scale credential harvesting, and use of infected systems as proxies for further attacks. Consequently, organisations are urged to strengthen patching routines, improve authentication security, and monitor for unusual system resource usage.
Damage: Critical
Probability: High
Platform(s): Windows and Linux Servers
DESCRIPTION
Prometei is a sophisticated, self-updating botnet with modular plugins that enable the targeting of both Windows and Linux environments. Initial access is achieved by exploiting exposed services, primarily Microsoft Exchange Server vulnerabilities (ProxyLogon/ProxyShell chains) and weak or default RDP/SSH credentials, among others. Also, brute-force attacks against SMB, RDP, and MSSQL are common vectors. Successful Prometei infiltration exploitation will deliver executable files such as (svchost.exe or systemd-journald) disguised as legitimate system files to escalate privileges using exploits like PrintNightmare or EternalBlue variants, and disable security tools. The malware uses domain generation algorithms (DGA), HTTP/HTTPS over non-standard ports mimicking legitimate traffic, and in newer variants, routes communication through Tor. Furthermore, it aggressively steals credentials, spreads laterally across networks and simultaneously turns infected systems into high-performance Monero miners. It also installs SOCKS5/HTTP proxies for resale on underground markets, and exfiltrates browser passwords and VPN configurations.
CONSEQUENCES
Successful exploitation of F5 vulnerabilities could result in:
- Severe performance degradation.
- Data breach.
- System compromise.
- Financial losses.
- Exposure of national networks to global cybercrime operations.
SOLUTION/MITIGATION
ngCERT recommends the following:
- Apply critical patches; disable legacy services like SMBv1.
- Enforce MFA and strong password policies.
- Segment networks and limit administrative access.
- Deploy EDR/XDR to detect abnormal processes and C2 traffic.
- Monitor for CPU spikes, mining processes, and failed login attempts.
- Conduct regular audits and access reviews.
- Isolate infected hosts and reset exposed credentials.
- Train staff on identifying early indicators of compromise.
HYPERLINK