Prowli malware infected 40,000 Web servers, modems, & IoT devices

The security team of GuardiCore, an Israeli cybersecurity company, discovered that cybercriminals have managed to create a large Prowli botnet with more than 40,000 infected Web servers, modems and other Internet of Things (IoT) devices. The Prowli botnet’s manipulator exploits vulnerabilities and brute-force attacks to attack and control devices. Affected by more than 9,000 companies, these companies are mainly located in China, Russia, the United States and other countries.

Prowli malware is used to cryptocurrency mining and target users to malicious sites. This is a diverse operating system that relies on brute force attacks and vulnerabilities to infect and take over the device. Prowli known servers and devices infected in recent months are as follows:

WordPress sites (via several exploits and admin panel brute-force attacks)
Joomla! sites running the K2 extension (via CVE-2018-7482)
Several models of DSL modems (via a well-known vulnerability)
Servers running HP Data Protector (via CVE-2014-2623)
Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports (all via brute-force credentials guessing)

In addition, Prowli’s manipulators also ran the SSH scanner module and tried to guess the device username and password that exposed the SSH port.

Image: guardicore

Once the server or IoT device is attacked, the Prowli operator determines if the equipment is available for mining. After confirmation, the manipulator infects it through the Monroe mining program and the R2R2 worm. The R2R2 worm performs SSH brute-force attacks on hacked devices and helps the Prowli botnet grow further.

In addition, the CMS platform running the website encountered a backdoor infection (WSO Web Shell). The attacker modifies the attacked Web site through the WSO Web Shell. Hosting malicious code redirects some of the site’s visitors to the traffic distribution system (TDS). The TDS then rents the hijacked network traffic to other attackers and redirects the user to Various malicious websites, such as fake technical support websites and update websites.

GuardiCore stated that the TDS system used by the attacker is EITest (also known as ROI777). In March 2018, ROI777 was hacked. After some of its data were leaked to the Internet, Internet Security shut down the system in April. Despite this, this does not seem to prevent the pace of action of the Prowli botnet.

According to the researchers, the attackers carefully designed and optimized the entire operation. Prowli malware infected more than 4,000 companies and more than 40,000 servers and devices on the network and then used these devices to make money, and the victims of the software. Worldwide.

GuardiCore mentioned Prowli’s attack indicators (IoC) and other details in the report, which system administrators can use to check their IT networks for attacks.