• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • December 13th, 2019
  • Home
  • About Us
  • Team
  • Advertise
  • Submit News
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Google+
    • Linkedin
    • Youtube
Home » Security » Prowli malware takes over 40,000 devices worldwide for Monero mining

Prowli malware takes over 40,000 devices worldwide for Monero mining

June 7th, 2018 Waqas Malware, Security 0 comments
Prowli malware takes over 40,000 devices worldwide for Monero mining
Share on FacebookShare on Twitter

According to a newly released report, a malicious crypto-mining and traffic monetization malware campaign is underway. The report, which was published on June 6, explains that the campaign has so far affected more than 40,000 systems of nearly 9,000 companies across the world.

See: Hackers are using YouTube Ads to Mine Monero Cryptocurrency

A variety of sectors including governmental institutions, education, and finance industry have been attacked in this campaign until now. Dubbed as Operation Prowli, the campaign is identified to be utilizing different attack methods such as exploits, weak configuration, and password brute-forcing.

According to security researchers at GuardiCore Labs, the purpose is to distribute malware and obtain full control over a wide range of devices. Researchers suspect that the attackers are keen on making money instead of spying or stealing information.

Prowli malware takes over 40,000 devices worldwide for Monero mining

As noted by the head of GuardiCore Labs Ofri Ziv: “What they have in mind is not security, they just want to have a server that will host their website. They’re doing every mistake possible … [they’re] using weak passwords, they don’t configure the server properly, so sometimes the attacker is able to just get the configuration of the server directly from the Internet.”

The malware targets Content Management Systems’ hosting servers, HP Data Protector, backup servers, IoT devices and DSL modems while the users are redirected to infected, malicious websites. A large number of IPs and domains have also been compromised by attackers behind Prowli.

Prowli malware takes over 40,000 devices worldwide for Monero mining

Currently, the malware is targeting organizations irrespective of their size while services that are susceptible to remote pre-authentication attacks are its key targets. To earn revenues, two main methods utilized by cyber criminals include traffic monetization and cryptocurrency mining.

See: Malicious Chrome extensions found stealing data with cryptomining trojan

After compromising the servers, the malware infects the server or device with Monero XMR miner. It also installs a self-propagating r2r2 worm for facilitating brute-forcing of SSH logins from the hacked devices as well as to claim new victims. R2r2 worm randomly generates IP address blocks and uses a user/password dictionary for brute-forcing SSH logins. Once its purpose is achieved, it executes a series of commands on the infected device.

All the attacks behave in a similar fashion and communicate with the same command and control server for downloading different infection tools including r2r2 and Monero miner.

An open-source webshell called WSO Web Shell is also used to modify the compromised websites and for hosting malicious code for redirecting site visitors to a traffic distribution mechanism. It is responsible for redirecting victims to malicious, scam websites so that they click on infected browser extensions.

Traffic according to researchers is sold through roi777, a Russian language traffic monetization website. The campaign was identified on April 4 and GuardiCore carried out extensive research spanning over three weeks to analyze the campaign. It was discovered that over 180 IPs across a number of countries and a wide range of organizations are being targeted in Operation Prowli.

See: New cryptojacking trojan hits Mac devices

Image credit: Depositphotos

  • Tags
  • Cryptocurrency
  • Cyber Attack
  • hacking
  • internet
  • IoT
  • Malware
  • Monero
  • Prowli
  • security
Facebook Twitter Google+ LinkedIn Pinterest
Previous article VPNFilter malware caught infecting Asus, D-Link, Huawei, ZTE & others
Next article Facebook bug exposed private posts of 14 million users to public
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism.

Related Posts
How to identify malware on your phone with these 7 signs

How to identify malware on your phone with these 7 signs

"The Smartest Lock Ever” KeyWe is Vulnerable to Hacking

"The Smartest Lock Ever” KeyWe is Vulnerable to Hacking

Plundervolt: A new attack on Intel processors threatening SGX data

Plundervolt: A new attack on Intel processors threatening SGX data

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

LATEST POSTS
NGINX office in Moscow raided by police
Cyber Events

NGINX office in Moscow raided by police

300
How to identify malware on your phone with these 7 signs
How To

How to identify malware on your phone with these 7 signs

368
"The Smartest Lock Ever” KeyWe is Vulnerable to Hacking
Security

"The Smartest Lock Ever” KeyWe is Vulnerable to Hacking

161
Plundervolt: A new attack on Intel processors threatening SGX data
Security

Plundervolt: A new attack on Intel processors threatening SGX data

394

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us