More Than 40,000 Machines Infected With Prowli Malware

Technology > Security

A hacker infiltrated and hacked a tightly secured computer system. / Photo by: Gorodenkoff via Shutterstock


A traffic manipulation and cryptocurrency mining campaign called Operation Prowli that has infected more than 40,000 machines has been discovered by the Guardicore Labs cybersecurity team. The Prowli malware employs various attack methods including exploits, password brute-forcing, and weak configurations in targeting a variety of platforms such as CMS servers hosting popular websites, backup servers running HP Data Protector, DSL modems, and IoT devices, according to the GuardiCore blog. 

Prowli was uncovered by the GuardiCore Global Sensor Network which reported a group of secure socket shell attacks communicating with a command-and-control server on April 4. The attacks downloaded a number of attack tools named r2r2, together with a cryptocurrency miner. During the next three weeks, the GGSN reported dozens of such attacks per day committed by over 180 IPs originating from several countries and organizations.

The GGSN team found out that the hackers were storing a large collection of affected machines with IPs and domains that expose different services to the Internet. These services are either vulnerable to remote pre-authentication attacks or allow the attackers to gain access by brute force techniques. 

Money and not ideology nor espionage was the reason cited by the GGSN team as the reason why Operation Prowli was launched in the first place. Mining the Monero cryptocurrency was pointed as one of the sources of money derived from Operation Prowli and the other is through traffic monetization fraud. Traffic monetizers such as roi777 will buy online traffic from the Prowli perpetrators and redirect it to domains on demand. They earn money based on the volume of traffic sent through roi777. The destination domains frequently host various scams such as fake services and malicious browser extensions.  

The GGSN team is recommending the use of strong passwords and keeping software updated to thwart Operation Prowli. Users can also lock down systems and segments vulnerable or hard to secure systems to separate these from the rest of the network.