The GuardiCore security team has discovered a malicious traffic manipulation and mining campaign, according to an announcement June 6. The campaign infected over 40,000 machines across various industries, including finance, education, and .
The campaign called Operation Prowli used various techniques like exploits and password brute-forcing to spread malware and take over devices, such as web servers, modems, and Internet-of-Things () devices. GuardiCore found that the attackers behind Prowli were focused on making money rather than ideology or espionage.
According to the report, the compromised devices were infected with a (XMR) miner and the r2r2 worm, a that executes SSH brute-force attacks from the hacked devices, and backs the Prowli to affect new victims. In other words, by randomly generating IP address blocks, r2r2 tries to brute-force SSH logins with a user/ password dictionary, and after breaking in runs a series of commands on the victim. The GuardiCore wrote:
"The attacks all behaved in the same fashion, communicating with the same C&C server to download a number of attack tools named r2r2 along with a cryptocurrency miner."
Additionally, cybercrooks used an open source webshell named “WSO Web Shell” to alter the compromised websites to host malicious code that redirects site visitors to a traffic distribution system, which then redirects them to various other malicious sites. Once redirected to a fake website, users fell victim to clicking on malicious browser extensions. The GuardiCore team reported that Prowli managed to compromise more than 9,000 companies.
Last month, a new piece of to mine 133 Monero tokens in three days. Cyber security firm 360 Total Security discovered that the malware, referred to as WinstarNssmMiner, presents a fresh challenge to users, due to its ability to both mine and crash infected machines.
Published at Thu, 07 Jun 2018 02:35:00 +0000
bitcoin Scams
