Prowli malware: exploiting more than 40k servers across the world

by Ugnius Kiguolis - - 2018-06-12

Prowli is the operation detected to spread malware and perform crypto-mining activities

Prowli malware image Prowli malware is a cyber threat which has successfully infected more than 40 000 machines.

Cybersecurity experts have discovered a massive botnet that has already infected more than 40 000 devices across the world^[1]. It was designed to manipulate users' traffic to malicious websites, distribute malware and launch crypto-mining campaigns. The scope of infection includes governmental, educational and financial institutions.

Hackers have developed the Prowli operation to take over servers by embedding malicious codes and spreading malicious programs using different attack vectors. One of the most widely used ones are^[2]:

Exploit kits;
Brute force attacks;
Exploiting weak configurations.

According to the analysis, Prowli campaign has already successfully infected machines of more than 9 000 companies^[3]. Likewise, the attackers relied on technical support scams where they tried to lure novice computer users into installing unreliable and potentially dangerous extensions.

Currently, it is known that WordPress sites and Joomla! pages with K2 extension are affected. Although, malware researchers have generated a list of devices that can also be infected by Prowli malware:

DSL modems;
Servers with an open SSH port;
Backup servers running HP Data Protector software;
NFS boxes;
Vulnerable Internet-of-Thing (IoT) devices;
Servers with exposed SMB ports;
PhpMyAdmin installations.

Criminals are focused on generating profits and injecting cryptocurrency miners

During the analysis, IT experts have discovered the cryptocurrency mining script that infects the device with Monero Miner^[4] and r2r2 worm which allow the criminals to excessively exploit computing power and generate digital currency from the affected machines.

<…> r2r2 randomly generates IP address blocks and iteratively tries to brute force SSH logins with a user and password dictionary. Once it breaks in, it runs a series of commands on the victim <…>

The commands are designed to download the following components from a remote and hard-coded server:

The Monero (XMR) cryptocurrency miner;
The configuration file;
Multiple copies of r2r2 worm which are suited for different CPU architectures.

In other terms, r2r2 is a malware that performs SSH brute-force attacks from the victimized device^[5]. The malicious program is written in Golang language and allows Prowli operation to spread further, infecting even more new machines and other devices.

Ways to protect your device from Prowli malware

It is evident that the crooks are using well-known vulnerabilities or merely credential guessing to infect the devices. Likewise, the smartest decision would be to follow this easy 3-step guide to protect your computer from Prowli:

Always update your OS;
Use strong passwords;
Each password on the device should be different;
Employ a professional security software and update it regularly as well.

About the author

Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References

^ Pierluigi Paganini. Prowli Operation – Crooks already compromised over 40,000 servers and IoT Devices. Security Affairs. Read, think, share.
^ Swati Khandelwal. Prowli Malware Targeting Servers, Routers, and IoT Devices. The Hacker News. Online Cyber Security News & Analysis.
^ Kacy Zurkus. Operation Prowli Malware Infected 40,000 Machines. Infosecurity Magazine. Information Security & IT Security News.
^ Lucia Danes. Monero Miner. How to remove? (Uninstall guide). 2Spyware. Security and Spyware News.
^ Ana Alexandre. Operation Prowli Malware Infects Over 40,000 Machines, Which Were Used for Crypto Mining. Cointelegraph. Bitcoin & Ethereum Blockchain News.