The GuardiCore security team discovered a new botnet, dubbed Prowli, which has infected over 40,000 servers, modems, and IoT devices. The botnet leverages known vulnerabilities and brute-force attacks to infect devices for use in cryptocurrency mining and to redirect users to malicious sites. The targeted devices used for cryptocurrency-mining operations are infected with a Monero miner and the r2r2 worm, which then uses the infected devices to perform SSH brute-force attacks on new devices in order to expand the botnet. If Prowli compromises content management system (CMS) platforms that run websites such as Drupal, they are infected with a backdoor that allows the threat actor to inject malicious code into the website. This code directs users to a traffic distribution system (TDS) that then redirects victims to other malicious sites. Devices vulnerable to the Prowli botnet include CMS servers, backup servers, DSL modems, and IoT devices.

Reporting and Technical Details:

  • June 2018: Operation Prowli: Monetizing 40,000 Victim Machines. (GuardiCore)

Image Source: GuardiCore