Prowli is a malicious operation being used to spread malware and cryptojacking
Researchers and cybersecurity experts at GuardiCore have uncovered an immense destructive botnet that had already affected more than 40,000 devices including Servers, Modems and IoT Devices.
Powli operation is aimed to spread malware and infect large organizations like industries, finance, education and government. It misguides user’s traffic by redirecting to malicious websites to distribute viruses/malware and even drops cryptojacking codes to carry out mining activities.
The authors of Prowli operation have developed it to capture the control over the servers by embedding malicious codes by using various attacking techniques and spread its malware program.
How Prowli Malware can attack
The common ways of attacking includes:
- Exploit kits;
- Brute force attacks;
- Exploiting weak configurations.
Prowli operation has been successful in infecting devices and machines of more than 9,000 organizations. For this, the hackers lure the innocent users by convincing them of any technical issue on their computer systems just like technical support scams and make them install any malicious program or extension which carries the payloads of the malware.
List of servers and devices that have been infected by the Prowli campaign:
- WordPress sites
- Joomla! sites
- Several models of DSL modems
- Servers running HP Data Protector
- Drupal and PhpMyAdmin installations,
- NFS boxes
- servers with exposed SMB ports (all via brute-force credentials guessing)
- Vulnerable Internet-of-Thing (IoT) devices;
- Servers with an open SSH port;
Prowli Group are aimed to generate profit through deploying cryptocurrency miners
According to the analysis, after hacking the servers and IoT devices, the Prowli group uses the devices for massive cryptocurrency mining operations. It deploys the cryptocurrency mining codes and scripts like Monero Miner and r2r2 worm. These scripts utilizes all the computing power to generate virtual/digital currency to generate huge profit out of it.
The r2r2 is a malware that brute force the SSH logins by randomly providing user ID and password from the directory. And once it gets successful to break in, it allows the Prowli malware to spread and start to execute series of commands on the compromised device. The r2r2 worm also helps the Prowli operation to spread further to more uninfected machines and devices.
The commands then helps to download the crypto-mining components from the remote server. It includes:
- Monero (XMR) the cryptocurrency miner;
- The configuration file; and
- Various copies of r2r2 worm based on different CPU architectures.
Not only that, the Prowli operation also infects the CMS (Content Management system) platforms with a backdoor “WSO web shell”. This web shell is being used by the cyber crooks to infect the websites with the malicious codes. After which the compromised website is redirects the user’s traffic to their owned or sponsored malicious sites including fake update pages, adult sites, tech scams and other misleading websites.
However, many of its TDS(traffic distribution systems) which were working for the crooks were taken down. But still there is no stopping for the prowli and is spreading its malware to generate huge profit.
How to protect your devices from the Prowli attack
Prowli operation is always in search of vulnerabilities, loopholes and low security configurations to break into your device and capture it completely. The compromised device can be used for various misleading activities. We should not encourage the cyber crooks behind the Prowli operation to do such illegitimate actions. Follow this simple steps to prevent your device from being attacked by the Prowli malware:
- Use strong passwords for your device which is unique and you haven’t used before.
- Keeping changing it within 3 months;
- Keep your operating system updated;
- Use a Real-time anti-malware protection for each of your device;
- Never click on any fraud or misleading links like tech scams;
- Install apps and extensions from the official websites only.