Prowli Malware Infected More Than 40,000 Crypto Mining Machines

On June 6th, 2018, the GuardiCore security team discovered a malicious traffic manipulation and also a crypto mining campaign. This manipulated campaign affected more than 40,000 machines from different sectors including governments. The campaign under the name, Prowli Malware Operation, applied different techniques such as exploits and password brute-forcing. The malware also aimed to take over devices like modems, web servers, and even IoT devices.

The attackers using the Prowli malware were after making money, not ideology. The report indicates XMR miner, belonging to Monero, and also the r2r2 worm, infected the compromised machines.. This malware operates by executing brute-force attacks on machines and then backs to affect new victims with Prowli. It works through the generation of new IP addresses, then after breaking into the victim’s machines, it runs different commands in the machine.

According to the information from GuardiCore, “The attacks all behaved in the same fashion, communicating with the same C&C server to download a number of attack tools named r2r2 along with a cryptocurrency miner.”

Hackers Step Up Their Game

The cyber-criminals responsible for this transgression used an open source web shell called WSO Web Shell. It changed all the compromised websites to allow the hosting of a malicious code. Then, it redirects site visitors to ensure traffic distributes among a system. The traffic distribution system is then responsible for redirecting the malicious codes to other venomous sites. After the redirecting, malicious browser extensions trick victims into clicking them. According to the report from the security company, Prowli had already compromised more than 9,000 institutions before the discovery.

Cases of crypto-jacking are becoming very popular. Last month, a malware affected more than 500,000 computers. It was set up to mine Monero tokens, and before it was discovered, it had already mined 133 tokens in three days. The malware was discovered by 360 Total Security which was called WinstarNssmMiner. This malware was particularly very dangerous, because it had the power to crush the infected machines.

A report tabled at the start of 2018 showed that the cryptocurrency market is the most targeted by hackers. This is because of its decentralized nature and the fact that it’s very hard to trace pilfered coins. More to that, the market allows people to operate in an anonymous state, thus becoming a breeding place for hackers.