Home Articles How Prowli Malware Targetted 40,000 Machines

How Prowli Malware Targetted 40,000 Machines


Recently, cyber-criminals managed to compromise over 40,000 web servers, modems and IoT devices. Let’s look into how Operation Prowli infected its victims…

Late last month, a massive botnet, dubbed VPNFilter, was found infecting half a million routers and storage devices from a wide range of manufacturers in 54 countries with a malware that has capabilities to conduct destructive cyber operations, surveillance and man-in-the-middle attacks.

After the discovery of massive VPNFilter malware botnet, recently cyber-criminals managed to create havoc through gigantic botnet of over 40,000 infected web servers, modems, and other IoT devices which was used for cryptocurrency mining, and for redirecting users to malicious sites.

Discovered by the GuardiCore security team and designated as Operation Prowli, this botnet is a diverse operation that relies on vulnerabilities and compromises the user login credentials through brute-force attacks to infect and take control over devices.

Modus Operandi
It is said that crooks deploy cryptocurrency miner, backdoor, SSH scanner. Once servers or IoT devices have been compromised, the Prowli group determined if they can be used for heavy cryptocurrency mining operations. Those that can are infected with a Monero miner and the r2r2 worm, a malware strain that performs SSH brute-force attacks from the hacked devices, and helps the Prowli botnet expand with new victims. Further, CMS platforms that are used to run websites received special treatment. This was because they were also infected with a backdoor (the WSO Web Shell).

The cyber goons used this web shell to modify the compromised websites to host malicious code that redirected some of the website’s visitors to a Traffic Distribution System (TDS), which then rents out the hijacked web traffic to other crooks and redirects users to all sorts of malicious sites, such as tech support scams, fake update sites, and more.

According to GuardiCore, the TDS system crooks worked with was EITest, also known as ROI777. That service has been taken down by cyber-security firms in April after ROI777 was hacked in March and some of its data dumped online. Nonetheless, this doesn’t seem to have stopped Prowli, which continued to operate onwards.

Targeted Devices & Services
Here’s the list devices and services infected by the Prowli malware:

• WordPress sites (via several exploits and admin panel brute-force attacks)
• Drupal and WordPress CMS servers hosting popular websites, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports (all via brute-force credentials guessing)
• Joomla! servers running the K2 extension (via CVE-2018-7482)
• Backup servers running HP Data Protector software
• Servers with an open SSH port running HP Data Protector (via CVE-2014-2623)
• PhpMyAdmin installations
• NFS boxes
• Servers with exposed SMB ports
• Several models of DSL modems (via a well-known vulnerability)
• Vulnerable Internet-of-Thing (IoT) devices

According to GuardiCore researchers, the compromised devices were found infected with a Monero (XMR) cryptocurrency miner and the “r2r2” worm — a malware written in Golang that executes SSH brute-force attacks from the infected devices, allowing the Prowli botnet to take over new devices.

In simple terms, “r2r2 randomly generates IP address blocks and iteratively tries to brute force SSH logins with a user and password dictionary. Once it is compromised, it runs a series of commands on the victim,” the researchers explain.

These commands are responsible for downloading multiple copies of the worm for different CPU architectures, a cryptocurrency miner and a configuration file from a remote hard-coded server.

Prowli operated without any restrictions and its victims was from all over the world regardless of the underlying platform.

According to researchers, the motive of the Operation Prowli was designed and optimized to maximize profits for cyber theives. It was reported that Prowli malware infected over 40,000 servers and devices located on the networks of over 9,000 companies in various verticals including finance, education and government organisations — which then made use to earn massive money before the botnet was discovered.

The GuardiCore team traced the campaign across several networks around the world and found the Prowli campaign associated with different industries. “Over a period of 3 weeks, we captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations,” the researchers said. “These attacks led us to investigate the attackers’ infrastructure and discover a wide-ranging operation attacking multiple services.”

Since the malicious attackers of Operation Prowli were abusing the infected devices and websites to mine cryptocurrency or run a script that redirects them to malicious websites, researchers believe that they were more focused on making money rather than ideology or espionage.

Further Reference
The GuardiCore report on the Prowli group contains indicators of compromise and other details that system administrators can utilize to determine if their IT network has been compromised by the Prowli botnet threat.


Please enter your comment!
Please enter your name here

88 − = 83