Operation Prowli Malware Infects Over 40,000 Machines, Which Were Used for Crypto Mining

Udgivet den by Cointele | Udgivet den

The GuardiCore security team has discovered a malicious traffic manipulation and cryptocurrency mining campaign, according to an announcement published June 6.

The campaign infected over 40,000 machines across various industries, including finance, education, and government.

The campaign called Operation Prowli used various techniques like exploits and password brute-forcing to spread malware and take over devices, such as web servers, modems, and Internet-of-Things devices.

According to the report, the compromised devices were infected with a Monero miner and the r2r2 worm, a malware that executes SSH brute-force attacks from the hacked devices, and backs the Prowli to affect new victims.

"The attacks all behaved in the same fashion, communicating with the same C&C server to download a number of attack tools named r2r2 along with a cryptocurrency miner."

Cybercrooks used an open source webshell named "WSO Web Shell" to alter the compromised websites to host malicious code that redirects site visitors to a traffic distribution system, which then redirects them to various other malicious sites.

Once redirected to a fake website, users fell victim to clicking on malicious browser extensions.

The GuardiCore team reported that Prowli managed to compromise more than 9,000 companies.

Last month, a new piece of cryptojacking malware used half a million computers to mine 133 Monero tokens in three days.

Cyber security firm 360 Total Security discovered that the malware, referred to as WinstarNssmMiner, presents a fresh challenge to users, due to its ability to both mine and crash infected machines.

x