Operation Prowli[1] is a traffic manipulation and cryptocurrency mining campaign infecting a wide number of organizations in critical infrastructure sectors such as finance, education and government.  This campaign spreads malware and malicious code to servers and websites and has compromised more than 40,000 machines in multiple areas of the world.


The malware has already hit more than 40,000 victim machines from over 9,000 businesses in various domains; to include finance, education and government organizations.  It uses various attack techniques of exploits, password brute-forcing and weak configurations.

The devices infected by the malware include:

  • Drupal and WordPress CMS servers hosting popular websites
  • Joomla! servers running the K2 extension
  • Backup servers running HP Data Protector software
  • DSL modems
  • Servers with an open SSH port
  • PhpMyAdmin installations
  • NFS boxes
  • Servers with exposed SMB ports
  • Vulnerable Internet-of-Thing (IoT) devices


The goals of the malware include:

  • Cryptocurrency mining
  • Promote and redirect to fake websites
  • Running scams


Figure 1 – Flow [1]

The r2r2 worm randomly generates IP address blocks and respectively attempts to brute force SSH logins with a user and password dictionary.  Once it breaks in, it runs a series of commands on the victim.  It downloads multiple versions of a worm for different CPU architectures, a cryptocurrency miner “and” a configuration file.

Besides cryptocurrency miner attackers are also using a well-known open source webshell called, "WSO Web Shell" [2] to modify the compromised servers, eventually allowing attackers to redirect visitors of websites to fake sites distributing.

Prevention and Mitigation Strategies

Our customers need to follow the following guidelines in order to protect themselves from the threat:

  • As using a mix of known vulnerabilities and credential guessing to compromise devices users should make sure their systems are patched and up to date
  • Always use strong and complex passwords
  • All major CMS vendors like Drupal, WordPress etc. are issuing regular patches make sure you keep an eye on them



[1] https://www.guardicore.com/wp-content/uploads/2018/06/prowli-post6-monetization.jpg

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance