Categories: MalwareSecurity News

Beware of Prowli Malware that Compromised More Than 40,000 Victim Machines Around the World

The new malware campaign, dubbed Operation Prowli, infecting number of industries such as finance, education, and government. The Prowli malware has compromised more than 40,000 machines and 9,000 companies around the world.

Prowli malware uses various attack techniques such as brute-forcing, exploits, and weak configurations. It targets CMS hosting servers, backup servers, HP Data Protector, DSL modems and IoT devices.

Security researchers from Guardicore uncovered the malware operation, it uses quiet common techniques for monetization cryptocurrency mining and redirecting users to malicious sites.

Prowli Malware Infection

Cybercriminals behind Prowli compromised a huge number of IPs and domain running different services that exposed to the Internet.

Operation Prowli targeted a number of organizations regardless of their size and distribution. It compromised different services that are vulnerable to remote pre-authentication attacks or brute-force.

Targeted Services

Drupal CMS websites – brute-force
WordPress sites – brute-force
DSL modems – brute-force
Joomla – CVE-2018-7482
Servers with Open SSH port – brute-force
Vulnerable IoT devices – brute-force
Servers exposing HP Data Protector software – over port 5555 – CVE-2014-2623
servers with exposed SMB ports – brute-force
PhpMyAdmin installations – brute-force

Monetization Methods

Guardicore says the attackers the attackers primarily focused on making money and they have employed two common revenue methods.

Cryptocurrency mining
Traffic monetization

Once they have servers compromised the attackers Prowli operation infects the server or IoT device with Monero miner and with the self-propagating r2r2 worm that brute-force SSH logins.

Also Read Iron Cybercrime Group Distributing New Powerful Backdoor with Strong Evasion Techniques

Prowli group sells traffic via roi777, who pays for traffic sent through them. Attackers used webshells “WSO Web Shell” to host malicious scripts in the website and to redirect the legitimate website traffic to scam sites.

Guardicore published a detailed report along with Indicators of Compromise and other details.

The operation targeted multiple vulnerabilities and brute-force, to prevent this attacks server should be patched against the known vulnerabilities and should use strong credentials.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Leave a Comment
Share
Published by
Gurubaran
Tags: Brute forcemultiple vulnerabilitiesProwli Malware
7 years ago

Recent Posts

Researchers Jailbreak OpenAI o1/o3, DeepSeek-R1, and Gemini 2.0 Flash Models

Researchers from Duke University and Carnegie Mellon University have demonstrated successful jailbreaks of OpenAI’s o1/o3,…

53 minutes ago

INE Secures Spot Top 50 Education Software Rankings 2025 in G2’s

INE, the leading provider of networking and cybersecurity training and certifications, today announced its recognition…

54 minutes ago

Silent Killers Exploit Windows Policy Loophole to Evade Detections and Deploy Malware

In a significant cybersecurity revelation, researchers have uncovered a large-scale campaign exploiting a Windows policy…

2 hours ago

200 Malicious GitHub Repositories Distributing Malware to Developers

A sophisticated malware campaign dubbed GitVenom has infected over 200 GitHub repositories, targeting developers with fake projects…

2 hours ago

Poseidon Stealer Targets Mac Users via Fake DeepSeek Website

Cybersecurity researchers uncovered a sophisticated malware campaign targeting macOS users through a fraudulent DeepSeek.ai interface.…

2 hours ago

Beware of Fake Job Interview Challenges Targeting Developers to Deliver Malware

A new wave of cyberattacks, dubbed "DeceptiveDevelopment," has been targeting freelance developers through fake job…

4 hours ago