Operation Prowli Malware Infects Over 40,000 Machines, Which Were Used for Crypto Mining

Published at: June 7, 2018

The GuardiCore security team has discovered a malicious traffic manipulation and cryptocurrency mining campaign, according to an announcement published June 6. The campaign infected over 40,000 machines across various industries, including finance, education, and government.

The campaign called Operation Prowli used various techniques like exploits and password brute-forcing to spread malware and take over devices, such as web servers, modems, and Internet-of-Things (IoT) devices. GuardiCore found that the attackers behind Prowli were focused on making money rather than ideology or espionage.

According to the report, the compromised devices were infected with a Monero (XMR) miner and the r2r2 worm, a malware that executes SSH brute-force attacks from the hacked devices, and backs the Prowli to affect new victims. In other words, by randomly generating IP address blocks, r2r2 tries to brute-force SSH logins with a user/ password dictionary, and after breaking in runs a series of commands on the victim. The GuardiCore wrote:

"The attacks all behaved in the same fashion, communicating with the same C&C server to download a number of attack tools named r2r2 along with a cryptocurrency miner."

Additionally, cybercrooks used an open source webshell named “WSO Web Shell” to alter the compromised websites to host malicious code that redirects site visitors to a traffic distribution system, which then redirects them to various other malicious sites. Once redirected to a fake website, users fell victim to clicking on malicious browser extensions. The GuardiCore team reported that Prowli managed to compromise more than 9,000 companies.

Last month, a new piece of cryptojacking malware used half a million computers to mine 133 Monero tokens in three days. Cyber security firm 360 Total Security discovered that the malware, referred to as WinstarNssmMiner, presents a fresh challenge to users, due to its ability to both mine and crash infected machines.

Tags
Related Posts
Botnet Exploits SQL Servers to Install Crypto Mining App
Recent reports revealed that a group of hackers behind the Kingminer botnet targeted vulnerable Microsoft SQL server databases to mine cryptocurrencies at some point in the second week of June. According to the cybersecurity firm Sophos, the attackers used the botnet, active since 2018, to exploit the BlueKeep and EternalBlue vulnerabilities, by also accessing through a trojan known as Gh0st, which relies on a remote access malware. Once the SQL server database is infected, the botnet installs a well-known crypto miner software called XMRig, which mines Monero (XMR). There are no details as of press time regarding how many systems …
Altcoin / June 10, 2020
1,000 Corporate Systems Infected With Monero Mining Malware
The Blue Mockingbird malware gang has infected more than 1,000 business systems with Monero mining malware since December 2019. The global scale of the hacker group’s operations was revealed by cloud security firm Red Canary on May 26. The report outlined the group’s methodology. The malware attacks servers running ASP.NET applications and exploits a vulnerability to install a web shell on the attacked computer and obtain administrator-level access to modify the server settings. Next, the cybercriminals install the XMRRig application to take advantage of the resources of the infected machines. Most of the infected computers belong to large companies, though …
Altcoin / May 27, 2020
Despite Bear Market, Crypto Mining Malware Tops Threat Index for 13th Month Running
Three strains of crypto mining malware have topped the latest Global Threat Index from Israeli cybersecurity firm Check Point, according to a press release published on Jan. 14. Check Point Software Technologies Ltd. is a security solution provider for governments and enterprises globally, with over 100,000 organizations reported to be currently using its security management system. As reported, stealth crypto mining attacks — also known as cryptojacking — work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. According to Check Point’s Global Threat Index for December 2018, the top …
Altcoin / Jan. 14, 2019
Mining Malware Continues To Dominate Cybersecurity Threats By Seeking Out New Vulnerabilities
Mining malware may now be painfully familiar to anyone with even a passing awareness of cryptocurrency, but so far businesses and consumers alike are failing to significantly curb its growing threat. On May 14, Israeli cybersecurity firm Check Point released its latest Global Threat Index, and for the fifth consecutive month it found that the Coinhive crypto-miner is the "most prevalent malware" in the world, affecting 16 percent of organizations globally. Meanwhile, Santa Clara-based Malwarebytes released its Cybercrime tactics and techniques: Q1 2018 report on April 9, finding that businesses had seen a 27 percent increase in mining malware in …
Altcoin / May 24, 2018
Coinhive Code Found On 300+ Websites Worldwide In Recent Cryptojacking Campaign
The Coinhive crypto mining code has been recently detected on more than 300 government and university websites worldwide, cyber security researcher Troy Mursch reported Saturday, May 5. According to the report, all the affected websites are using a vulnerable version of the Drupal content management system. As the researcher posted on Twitter May 4, he was alerted to this particular campaign via the attack on the websites of the San Diego Zoo, and the government of Chihuahua, Mexico. Both websites reportedly had Coinhive injected into their Javascript libraries in the same way. Coinhive is a JavaScript program created to mine …
United States / May 8, 2018