LTS Secure Warning: Prowli Malware infected 40,000 machines

Cybercriminals managed to develop a crypto mining malware that has compromised more than 40,000 machines and 9000 companies around the world. This malware was uncovered by Gurardicore labs team.

Prowli malware uses various attack techniques such as brute-forcing, exploits, and weak configurations. It targets CMS hosting servers, backup servers, HP Data Protector, DSL modems and IoT devices.

Technical Details

Gurardicore says the attackers have employed two common revenue methods:

  • Cryptocurrency mining
  • Traffic monetization

Once servers or IoT devices have been compromised, the Prowli group determines if they can be used for heavy cryptocurrency mining operations.

Those that can be infected with a Monero miner and the r2r2 worm, a malware strain that performs SSH brute-force attacks from the hacked devices, and helps the Prowli malware to expand.

Furthermore, CMS platforms that are used to run websites receive special treatment, because they are also infected with a backdoor (the WSO Web Shell). Crook used this web shell to modify the compromised websites to host malicious code that redirects some of the site’s visitors to a traffic distribution system (TDS), which then rents out the hijacked web traffic to other crooks and redirects users to all sorts of malicious sites, such as tech support scams, fake update sites, and more.

Impact

Prowli malware has infected the following servers and devices:

  • WordPress sites (via several exploits and admin panel brute-force attacks)
  • Joomla sites running the K2 extension (via CVE-2018-7482)
  • Several models of DSL modems (via a well-known vulnerability)
  • Servers running HP Data Protector (via CVE-2014-2623)
  • Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports (all via brute-force credentials guessing)

Recommended Actions

Since the attackers are using a mix of known vulnerabilities and credential guessing to compromise devices, users should make sure their systems are patched and up to date and always use strong passwords for their devices.

Moreover, users should also consider locking down systems and segmenting vulnerable or hard to secure systems, in order to separate them from the rest of their network.

Guardicore has released a security advisory about Prowli Malware on June 6, 2018.