Posted: June 13, 2018

Prowli Description

Prowli is a campaign that employs a variety of worms, software vulnerabilities, Trojans, and attack methods for modifying your Web-browsing traffic and running non-consensual cryptocurrency miners. While malware experts judge business networks and servers as being at the most risk of an attack, this operation's infection vectors aren't specific to any individual industry. Users seeing any of the symptoms described in its article should let their anti-malware products remove all Prowli software and related settings from their computers.

Criminals Making Money from Any Business They can Breach

New threat actors are administrating a campaign that's taking over Windows PCs in the business sector without discrimination between different industries, with the motive focusing on generating money consistently. The campaign, Prowli, uses a cocktail of various threatening software types, including self-duplicating worms and browser hijackers, for creating the Monero currency and monetized Web traffic. The infection methods at play also use multiple strategies, according to what's most convenient for different targets.

The Prowli attacks use both old, well-known and brand-new Black Hat software and vulnerabilities for compromising different PCs, as well as Internet-of-Things (or IoT) devices. Current estimates by malware experts place the number of compromised systems at tens of thousands, with individual companies impacted at nine thousand. Since the infections employ attacks that hijack resources and online traffic without showing any notable symptoms, alerts from security software are the best flag available to the Prowli's victims.

Malware researchers are emphasizing the following threats as top-priority risks from Prowli infections:

  • This campaign drops the Golang-based r2r2 worm as a primary component of its payload, which creates copies of itself and runs a Monero-mining program that uses the infected PC's hardware automatically.
  • Website-based targets of a Prowli attack suffer from PHP and JavaScript-based injections that can redirect their traffic towards corrupted websites, including '.tk' domains hosting fake Windows security alerts and other tactics.
  • Many of the infection strategies Prowli uses (see this article's second half) also grant the threat actors an unsafe degree of control over a PC, IoT device or website. Any information, including logins, should be taken for granted as compromised.

Putting Prowlers in Unprofitable Places

Due to it compromising different targets drastically, the victim of any Prowli will require different security precautions, depending on their circumstances. Website admins may search their site's code for the PHP modifications that are specific to Prowli. Monitoring your network's Web-browsing traffic also can identify attempts at contacting the '.tk' domains that Prowli's traffic-hijacking and C&C communications utilize. As always, malware experts suggest keeping JavaScript, Java, and Flash disabled from your browser unless they're necessary for viewing a trusted site's content.

Secure passwords are valuable defenses against the brute-force techniques that form one-half of Prowli's primary infection strategies. Passwords with simple, short, default, or easy-to-guess strings can lead to criminals gaining complete, backdoor access to a PC and the rest of its network. Poor server configuration settings and software vulnerabilities, such as those found in outdated versions of WordPress, also are instigating factors. Server admins installing all security updates are at less risk of suffering from an attack. Due to the diversity of threats associated with this campaign, victims should have their anti-malware software removing all Prowli infections during full system scans of the machine before changing their passwords.

Thanks to researchers, the public now has access to detailed analyses of how the Prowli campaign works and what its operational motivators are. Lamentably, these details also show that thousands of businesses and website owners, still, aren't implementing some of the most basic security practices.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Prowli may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.