A malicious campaign has compromised more than 40,000 machines globally, carrying out traffic-hijacking and cryptomining.
Researchers at Guardicore Labs, who called the campaign Operation Prowli, said it targets a variety of platforms – including Drupal CMS websites, WordPress sites, backup servers running HP Data Protector, DSL modems and vulnerable IoT devices.
“Victim machines are monetized using a variety of methods, relying on internet trends such as digital currencies and traffic redirection,” Gaurdicore Labs said in a post about the campaign, on Wednesday. “Traffic monetization frauds are quite common and are based on redirecting website visitors from their legitimate destination to websites advertising malicious browser extensions, tech support scam services, fake services and more.”
Guardicore researchers Ofri Ziv and Daniel Goldberg said they first discovered the campaign on April 4, when they noticed a group of SSH attacks communicating with a C&C server using GuardiCore deception technology.
The researchers told Threatpost that they estimate that the attackers have been operational since early 2018, according to compile times and different log files.
These attacks all behaved in the same fashion, communicating with the same C&C server to download a number of attack tools collectively named r2r2 (written in Golang), across several networks in different countries, along with a cryptocurrency miner.
Upon further investigation, the researchers found that Operation Prowli was compromising a raft of victims – from financial to state and local governments – and targeting servers via open SSH ports, CMS servers hosting popular websites and insecure IoT devices.
“We believe the majority of their income is through traffic-hijacking, because it’s a consistent source that’s easy to monetise,” Goldberg told Threatpost.
Interestingly, researchers said that the campaign operators tout a toolbox with a variety of attack methods to fit their needs – so different types of attacks are based on a mix of known vulnerabilities and credential-guessing.
Machines running SSH, for instance, are hacked by a self-propagating worm spread by brute-force credential-guessing. The victim machines will then download and run a cryptocurrency miner.
Once the binary breaks in and infects machines, it runs a series of commands to download files from a hard-coded server. That includes multiple copies of the worm for different CPU architectures (x86, ARM and MIPS), and a cryptocurrency miner and configuration file.
“The attackers’ attack tools report to a C&C server running under the domain name wp.startreceive[.]tk. This Joomla! server is a compromised server, which the attackers reuse to track their malware, collect information from the ever-growing victims list and also serve different payloads to compromised machines,” the researchers said.
Victim data from various targeted services is stored in a log file – including login credentials from WordPress admin panels and SSH,UELs exposing vulnerable config panels from DSL modems and more.
In addition to varying infection methods, the attackers behind Operation Prowli use different payloads for each of their targets.
“While ‘patch your servers and use strong passwords’ may sound trivial, we know that ‘in real life’ things are much more complicated,” the firm said. “Alternatives include locking down systems and segmenting vulnerable or hard to secure systems, to separate them from the rest of your network.”