Cyber-criminals have managed to assemble a gigantic botnet of over 40,000 infected web servers, modems, and other IoT devices, which they used for cryptocurrency mining, and for redirecting users to malicious sites.
Named Prowli and discovered by the GuardiCore security team, this botnet is a diverse operation that relies on vulnerabilities and credentials brute-force attacks to infect and take over devices.
The following types of servers and devices have known to be infected by the Prowli group in recent months:
Furthermore, the Prowli group also operates an SSH scanner module that attempts to guess the username and password of devices that expose their SSH port on the Internet.
Once servers or IoT devices have been compromised, the Prowli group determines if they can be used for heavy cryptocurrency mining operations.
Those that can are infected with a Monero miner and the r2r2 worm, a malware strain that performs SSH brute-force attacks from the hacked devices, and helps the Prowli botnet expand with new victims.
Furthermore, CMS platforms that are used to run websites receive special treatment, because they are also infected with a backdoor (the WSO Web Shell).
Crook used this web shell to modify the compromised websites to host malicious code that redirects some of the site's visitors to a traffic distribution system (TDS), which then rents out the hijacked web traffic to other crooks and redirects users to all sorts of malicious sites, such as tech support scams, fake update sites, and more.
According to GuardiCore, the TDS system crooks worked with was EITest, also known as ROI777. That service has been taken down by cyber-security firms in April after ROI777 was hacked in March and some of its data dumped online. Nonetheless, this doesn't seem to have stopped Prowli, which continued to operate onwards.
The big picture, according to researchers, is that the entire Prowli operation was intentionally designed and optimized to maximize profits for crooks.
During its lifetime Prowli malware infected over 40,000 servers and devices located on the networks of over 9,000 companies, which it then used to their full potential to earn money before their malware was discovered. Prowli operated without discrimination and made victims all over the world, and regardless of the underlying platform.
The GuardiCore report on the Prowli group contains indicators of compromise and other details that system administrators can utilize to determine if their IT network has been compromised by this threat.