Operation Prowli Malware Campaign

An advanced malware campaign known as Operation Prowli has been observed targeting a variety of systems worldwide. Vulnerable platforms include content management systems (CMS), Internet-of-Things (IoT) devices and modems.

Threat ID:: CC-2473
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 7 June 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Threat details

Financial, industrial and governmental organisations affected worldwide.

The attackers behind Operation Prowli use a wide variety of bespoke malware tools and exploits to compromise systems. A worm called r2r2 is used to scan for systems with publicly reachable SSH ports and performs brute-force attack against them to gain access. It will then download and install a variant of the XMRig cryptocurrency miner before scanning for new targets.

Manual attacks are performed against CMS servers with the intention of re-purposing them to serve malicious files to users. Different payloads are delivered depending on the type of device visiting the compromised websites. Affected servers will also be used in malvertising, SEO fraud and traffic redistribution campaigns.

For further information:

Remediation steps

Type	Step
	The r2r2 worm and cryptocurrency miner are non-persistent and can be removed by performing a reset on affected devices. Ensure SSH ports are secured and credentials are changed to prevent re-infection. Websites compromised by Operation Prowli will contain certain JavaScript or PHP code. The following files contain known code snippets, if a website contains these it is highly likely it is compromised and requires remediating: Prowli_JS.txt Prowli_PHP.txt Additionally, to prevent and detect an infection ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

The r2r2 worm and cryptocurrency miner are non-persistent and can be removed by performing a reset on affected devices. Ensure SSH ports are secured and credentials are changed to prevent re-infection.

Websites compromised by Operation Prowli will contain certain JavaScript or PHP code. The following files contain known code snippets, if a website contains these it is highly likely it is compromised and requires remediating:

Additionally, to prevent and detect an infection ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

CVE Vulnerabilities

Status

CVE-2014-2623

Status

CVE-2018-7482

Last edited: 17 February 2020 12:51 pm