A large botnet which has affected more than 40K devices by hackers is currently being used for cryptocurrency mining as well as also redirecting users to malicious sites. The malware dubbed Prowli was discovered by the GuardiCore Security team. The botnet is diverse and currently relies on vulnerabilities and weak credentials to infect devices.
The Prowli malware affects the following products:
– WordPress sites (via several exploits and admin panel brute-force attacks)
– Joomla! sites running the K2 extension (via CVE-2018-7482)
– Several models of DSL modems (via a well-known vulnerability)
– Servers running HP Data Protector (via CVE-2014-2623)
– Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports (all via brute-force credentials guessing)
The devices were affected by Monero miners malware which is used for mining the data after compromise. There is also something called r2w2 worm and also a malware strain that is performing the brute-force SSH attacks.
Many CMS platforms are targeted for common unpatched vulnerabilities. The Hackers have used a web shell to change the compromised web applications which are being used as puppets to execute the malicious code on the victims PC.
According to company GuardiCore a traffic distribution system (TDS) was used by the hackers to host the malicious code which redirects users to fake update sites. GuardiCore said that the TDS system used was EITest also codenamed as ROI777. The service has been taken down by cyber-security firms in April after was hacked in March of 2018. While some of its data was dumped online it didn’t stop Prowli from continuing to operate on the internet.
Take your time to comment on this article.