The GuardiCore security team has discovered a malicious traffic manipulation and cryptocurrency mining campaign, according to an announcement published June 6. The campaign infected over 40,000 machines across various industries, including finance, education, and government.
The campaign called Operation Prowli used various techniques like exploits and password brute-forcing to spread malware and take over devices, such as web servers, modems, and Internet-of-Things (IoT) devices. GuardiCore found that the attackers behind Prowli were focused on making money rather than ideology or espionage.
According to the report, the compromised devices were infected with a Monero (XMR) miner and the r2r2 worm, a malware that executes SSH brute-force attacks from the hacked devices, and backs the Prowli to affect new victims. In other words, by randomly generating IP address blocks, r2r2 tries to brute-force SSH logins with a user/ password dictionary, and after breaking in runs a series of commands on the victim. The GuardiCore wrote:
"The attacks all behaved in the same fashion, communicating with the same C&C server to download a number of attack tools named r2r2 along with a cryptocurrency miner."
Additionally, cybercrooks used an open source webshell named “WSO Web Shell” to alter the compromised websites to host malicious code that redirects site visitors to a traffic distribution system, which then redirects them to various other malicious sites. Once redirected to a fake website, users fell victim to clicking on malicious browser extensions. The GuardiCore team reported that Prowli managed to compromise more than 9,000 companies.
Last month, a new piece of cryptojacking malware used half a million computers to mine 133 Monero tokens in three days. Cyber security firm 360 Total Security discovered that the malware, referred to as WinstarNssmMiner, presents a fresh challenge to users, due to its ability to both mine and crash infected machines.