O Prowli é um malware a rodar sobre uma botnet que explora essencialmente vulnerabilidades conhecidas e ataques de brute-force. Ele foi inicialmente identificado por investigadores da GuardiCore.
Esta campanha, apelidada de Prowli Operation, destina-se a servidores e dispositivos, e usa os seguintes métodos de ataque:
- Using a self-propagating worm that targets systems running SSH by brute force credential guessing, then the infected machines download and run a cryptocurrency miner.
- Exploiting the CVE-2018-7482 file download vulnerability to compromise Joomla! Servers running the K2 extension
- Accessing the internet facing configuration panel of variety of DSL modems by using a URL such as http://:7547/UD/act?1 and passing in parameters exploiting a known vulnerability. The vulnerability affects the processing of SOAP data and allows remote code execution. This vulnerability was previously used by the Mirai worm.
- Using several exploits and launching brute-force attacks o admin panel of WordPress sites.
- Exploiting a 4-year-old vulnerability, CVE-2014-2623, to execute commands with system privileges on servers running HP Data Protector exposed to the internet (over port 5555).
- Targeting Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports via brute-force credentials guessing.
Depois do comprometimento de um servidor ou dispositivo IoT os hackers determinam se podem usá-lo para operações de cryptomining. Nestas operações é usado um minerador Monero e o worm r2r2, um malware usado para lançar ataques de força bruta de SSH em dispositivos que já tenham sido comprometidos.
“The attackers behind Prowli incur no expenses when they use r2r2 to take over computers owned by others and use mining pools to launder their gains. Cryptocurrency is a common payload of modern worms, and in this case as in many others, our attackers prefer to mine Monero, a cryptocurrency focused on privacy and anonymity to a greater degree than Bitcoin.” reads the analysis published by the experts.
“Second source of revenue is traffic monetization fraud. Traffic monetizers, such as roi777, buy traffic from “website operators” such as the Prowli attackers and redirect it to domains on demand. Website “operators” earn money per traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more.”
Os hackers também comprometeram os servidores com a backdoor WSO Web Shell. Os websites invadidos foram utilizados para hospedar códigos maliciosos que redirecionam os visitantes para um sistema de distribuição de tráfego (TDS) como forma de ganhar dinheiro com tráfego sequestrado.
“Traffic monetizers, such as roi777, buy traffic from “website operators” such as the Prowli attackers and redirect it to domains on demand. Website “operators” earn money per traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more.” continues the experts.