It has been reported that the botnet has been active since May, as it relies on 15 executable modules to recover administrator passwords from the infected computer.
However, password validity is verified by sending them to a control server connected to other networks. Once the malware has obtained access to the user’s administrative rights, it proceeds to record all data contained within the system.
It has been analyzed that Cisco Talos estimated that this botnet may contain up to 10,000 systems at any point in time. The botnet is still running with a hash generating frequency of more than 1Million Hash/sec.
Vanja Svajcer, a Researcher at Cisco Talos, stated that Prometei earns its owner around 1500 USD per month.
He clarified that although this does not sound like much compared with other quoted figures, “it comfortably earns well over an average salary in some countries.”
“Stealing credentials is the most dangerous part of the Prometei botnet. You could consider the attacker with its bot being a burglar in your home. Naturally, the burglar searches all the drawers and finds various keys. They take keys with them and ask somebody else (another infected system) to check if any of the keys work on your car, safe deposit box etc. Obviously, when criminals break into a house it opens up a whole new set of opportunities. It is very similar with this botnet.”
Thus, the study states that Prometei makes a moderate profit for a single developer that is “most likely based in Eastern Europe.”