According to a newly released report, a malicious crypto-mining and traffic monetization malware campaign is underway. The report, which was published on June 6, explains that the campaign has so far affected more than 40,000 systems of nearly 9,000 companies across the world.
A variety of sectors including governmental institutions, education, and finance industry have been attacked in this campaign until now. Dubbed as Operation Prowli, the campaign is identified to be utilizing different attack methods such as exploits, weak configuration, and password brute-forcing.
According to security researchers at GuardiCore Labs, the purpose is to distribute malware and obtain full control over a wide range of devices. Researchers suspect that the attackers are keen on making money instead of spying or stealing information.
As noted by the head of GuardiCore Labs Ofri Ziv: “What they have in mind is not security, they just want to have a server that will host their website. They’re doing every mistake possible … [they’re] using weak passwords, they don’t configure the server properly, so sometimes the attacker is able to just get the configuration of the server directly from the Internet.”
The malware targets Content Management Systems’ hosting servers, HP Data Protector, backup servers, IoT devices and DSL modems while the users are redirected to infected, malicious websites. A large number of IPs and domains have also been compromised by attackers behind Prowli.
Currently, the malware is targeting organizations irrespective of their size while services that are susceptible to remote pre-authentication attacks are its key targets. To earn revenues, two main methods utilized by cyber criminals include traffic monetization and cryptocurrency mining.
After compromising the servers, the malware infects the server or device with Monero XMR miner. It also installs a self-propagating r2r2 worm for facilitating brute-forcing of SSH logins from the hacked devices as well as to claim new victims. R2r2 worm randomly generates IP address blocks and uses a user/password dictionary for brute-forcing SSH logins. Once its purpose is achieved, it executes a series of commands on the infected device.
All the attacks behave in a similar fashion and communicate with the same command and control server for downloading different infection tools including r2r2 and Monero miner.
An open-source webshell called WSO Web Shell is also used to modify the compromised websites and for hosting malicious code for redirecting site visitors to a traffic distribution mechanism. It is responsible for redirecting victims to malicious, scam websites so that they click on infected browser extensions.
Traffic according to researchers is sold through roi777, a Russian language traffic monetization website. The campaign was identified on April 4 and GuardiCore carried out extensive research spanning over three weeks to analyze the campaign. It was discovered that over 180 IPs across a number of countries and a wide range of organizations are being targeted in Operation Prowli.
Image credit: Depositphotos