A malicious traffic manipulation, as well as a crypto mining campaign, has recently been detected by the GuardiCore security crew to have affected over 40,000 machines regardless of what societal sector they belonged to.
Coined Operation Prowli, the campaign utilized different schemes like password brute-forcing and exploits to spread a malware which would hack devices such as modems, web servers, and Internet-of-Things (IoT) devices. The security crew noticed that the hackers behind the said operation focused more on making money instead of spreading radical ideologies or espionage.
The report revealed that the hacked devices had a Monero (XMR) miner installed on them, coupled with the r2r2 worm which executes SSH brute-force onslaughts from the devices, consequently backing Prowli to further infect fresh victims. In essence, by merely generating IP address blocks by random, r2r2 attempts to brute-force SSH logins with a user and password dictionary. Once the worm has penetrated the device’s security, it would run a barrage of commands on the victim.
Furthermore, cybercrooks used an open-source web shell called “WSO Web Shell” to manipulate the infected websites, thereby hosting malicious code which redirects each site’s respective visitors to a traffic distribution system. This then loops them to other malicious sites. Once redirected to a pseudo website, users would be victimized into clicking on malicious browser extensions. The GuardiCore team reported that Prowli was able to infect even more than 9,000 companies and organizations.