Prowli leverages weak Iot devices and servers for profit.
A malicious campaign infected more than 40,000 machines globally, carrying out traffic-hijacking and cryptomining. Researchers calls the campaign Operation Prowli. It targets a variety of platforms including Drupal CMS websites, WordPress sites, backup servers running HP Data Protector, DSL modems and vulnerable IoT devices. Machines are monetized using a variety of methods, relying on internet trends such as digital currencies and traffic redirection. Traffic monetization frauds are common and are based on redirecting website visitors from their legitimate destination to websites advertising malicious browser extensions, tech support scam services, fake services and more.
Guardicore researchers first discovered the campaign on April 4, when they noticed a group of SSH attacks communicating with a C&C server using GuardiCore deception technology. These hackers are sophisticated and efficient back end engineers according to researchers. They're not using sophisticated attacks, nor is their worm special, but their command-and-control is lean, efficient and hard to trace. Researchers estimate that the hackers have been operating since early 2018, according to compile times and different log files.
The hacks all behaved in the same fashion, communicating with the same C&C server to download a number of attack tools collectively named r2r2 ( written in Golang ), across several networks in different countries, along with a cryptocurrency miner. Over a period of three weeks, researchers captured dozens of simillar attacks per day coming from over 180 IPs from a variety of countries and organizations. These attacks led researchers to investigate the hackers' infrastructure and discover a wide-ranging operation attacking multiple services. Upon further investigation, the researchers found that Operation Prowli compromised a variety of victims, from financial to state and local governments. The attacks targeted servers via open SSH ports, CMS servers hosting popular websites and insecure IoT devices. Researchers believe the majority of their income is through traffic hijacking, because it's a consistent source that's easy to monetise.
Researchers believe that the campaign operators use a toolbox with a variety of attack methods to fit their needs so different types of attacks are based on a mix of known vulnerabilities and credential guessing. Machines running SSH, are hacked by a self-propagating worm spread by brute-force credential-guessing. The infected machines will then download and run a cryptocurrency miner. The hackers infect other victims such as servers running HP Data Protector exposed to the internet ver port 5555, or WordPress installations through exploiting old vulnerabilities. Meanwhile, r2r2 randomly generates IP address blocks and then tries to brute force SSH logins with a user / password dictionary.
Once the binary breaks in and infects the machines, it runs a series of commands to download files from a hard coded server. That includes multiple copies of the worm for different CPU architectures, a cryptocurrency miner and configuration file. The hackers' attack tools report to a C&C server running under the domain name wp.startreceive[dot]tk. The Joomla! server is an infected server, which the hackers reuse to track their malware, collect information from the rowing victims list and also serve different malicious code to infected machines.
Victim data from targeted services is stored in a log file including login credentials from WordPress admin panels and SSH, UELs exposing vulnerable config panels from DSL modems and more. In addition to varying infection methods, the hakcers behind Operation Prowli use different malicious code for each of their targets. The SSH brute force attack provides the hackers with complete control of the system and are used to mine cryptocurrency, while infected websites are used to run different web frauds. Other victims are picked by the hackers to run more attacks, similar to how the server behind wp.startreceive[dot]tk was used as a C&C server.