Guardicore Uncovers Operation Prowli Cryptocurrency Mining Malware Campaign
Prowli Crypto-Mining Operation Infects More Than 40,000 Machines Worldwide as CryptoJacking on the Rise
The campaign called “Operation Prowli” infected more than 40,000 machines in various industries, including the financial, education and government sectors. To achieve its goal, this malicious campaign uses various techniques such as exploits and brute force passwords to spread its malware and take over devices such as web servers, modems and Internet-Of-Things (IoT) devices.
GuardiCore found that the attackers behind Prowli were focused on making money rather than on ideology or espionage. The compromised devices were reportedly infected with a Monero (XMR) miner and the r2r2 worm, a malware that executes SSH brute-force attacks from the hacked devices and backs the Prowli to affect new victims.
In other words, by randomly generating IP address blocks, r2r2 attempts to log with brute force SSH from a user/password dictionary, and after logging executes a series of commands on the victim.
The idea behind CryptoJacking malware is that they can utilize (ultimately in this case steal) idle computer power and turn it into mining a coin of their choice (usually Monero). There are services like CryptoJacking Test in which you can test to see if your web browser has been infected by malware related to cryptocurrency mining. You can also look into NoCoin and MinerBlock which help block these types of services from penetrating your system.
“The attacks all behaved in the same fashion, communicating with the same C&C server to download a number of attack tools named r2r2 along with a cryptocurrency miner.”
Cybercriminals use an open source web shell called “WSO Web Shell” to alter compromised websites to host malicious code that redirects visitors to a traffic distribution system, which in turn redirects them to other malicious sites.
Once redirected to a fake website, users were victims of clicking on malicious browser extensions. GuardiCore team reported that Operation Prowli was able to engage more than 9,000 companies worldwide.
This has been a growing trend regarding Cryptocurrency Mining Botnets or CryptoJacking where they siphon your computer power and turn it into blockchain mining power. This is all part of the process (really ingenious) of the blockchain and how it is incentivized to contribute hashrate to support the global structure as well as mint new coins and blocks. We have saw the case with Drupal, Xbooster, ComboJack, Evrial, FacexWorm and Digimine as well as companies who are trying to help protect users and consumers like 360 Total Security.
This discovery by GuardiCore also comes on the heels of the ISACA saying Crypto Mining Malware has outpaced Ransomware attempts as of 2018 now.
Make sure you read our guide here for your own safety and personal reassurance:
Also here some additional related reading for your convenience.