Prowli Botnet

The GuardiCore security team discovered a new botnet that has infected over 40,000 web servers, modems, and Internt of Things (IoT) devices, compromising over 9,000 companies worldwide. Dubbed “Prowli,” the botnet uses known vulnerabilities and brute-force attacks to infect devices and use them for cryptocurrency mining and to redirect users to malicious sites. The targeted servers and IoT devices used for cryptocurrency-mining operations are infected with a Monero miner and the r2r2 worm. The worm uses the infected devices to perform SSH brute-force attacks on new devices in order to expand the botnet. If Prowli compromises content management system (CMS) platforms that run websites such as Drupal, they are infected with a backdoor that allows the threat actor to inject malicious code into the website. This code directs users to a traffic distribution system (TDS) that then redirects victims to other malicious sites. Vulnerable devices include CMS servers, backup servers, DSL modems, and IoT devices. The NJCCIC recommends users and administrators of vulnerable platforms review the GuardiCore report for additional information and indicators of compromise (IOCs). Additionally, it is encouraged to establish strong passwords and multi-factor authentication and keep all software up-to-date.