Prowli

Prowli is a campaign that employs a variety of worms, software vulnerabilities, Trojans, and attack methods for modifying your Web-browsing traffic and running non-consensual cryptocurrency miners. While malware experts judge business networks and servers as being at the most risk of an attack, this operation's infection vectors aren't specific to any individual industry. Users seeing any of the symptoms described in its article should let their anti-malware products remove all Prowli software and related settings from their computers.

Criminals Making Money from Any Business They can Breach

New threat actors are administrating a campaign that's taking over Windows PCs in the business sector without discrimination between different industries, with the motive focusing on generating money consistently. The campaign, Prowli, uses a cocktail of various threatening software types, including self-duplicating worms and browser hijackers, for creating the Monero currency and monetized Web traffic. The infection methods at play also use multiple strategies, according to what's most convenient for different targets.

The Prowli attacks use both old, well-known and brand-new Black Hat software and vulnerabilities for compromising different PCs, as well as Internet-of-Things (or IoT) devices. Current estimates by malware experts place the number of compromised systems at tens of thousands, with individual companies impacted at nine thousand. Since the infections employ attacks that hijack resources and online traffic without showing any notable symptoms, alerts from security software are the best flag available to the Prowli's victims.

Malware researchers are emphasizing the following threats as top-priority risks from Prowli infections:

• This campaign drops the Golang-based r2r2 worm as a primary component of its payload, which creates copies of itself and runs a Monero-mining program that uses the infected PC's hardware automatically.
• Website-based targets of a Prowli attack suffer from PHP and JavaScript-based injections that can redirect their traffic towards corrupted websites, including '.tk' domains hosting fake Windows security alerts and other tactics.
• Many of the infection strategies Prowli uses (see this article's second half) also grant the threat actors an unsafe degree of control over a PC, IoT device or website. Any information, including logins, should be taken for granted as compromised.

Putting Prowlers in Unprofitable Places

Due to it compromising different targets drastically, the victim of any Prowli will require different security precautions, depending on their circumstances. Website admins may search their site's code for the PHP modifications that are specific to Prowli. Monitoring your network's Web-browsing traffic also can identify attempts at contacting the '.tk' domains that Prowli's traffic-hijacking and C&C communications utilize. As always, malware experts suggest keeping JavaScript, Java, and Flash disabled from your browser unless they're necessary for viewing a trusted site's content.

Secure passwords are valuable defenses against the brute-force techniques that form one-half of Prowli's primary infection strategies. Passwords with simple, short, default, or easy-to-guess strings can lead to criminals gaining complete, backdoor access to a PC and the rest of its network. Poor server configuration settings and software vulnerabilities, such as those found in outdated versions of WordPress, also are instigating factors. Server admins installing all security updates are at less risk of suffering from an attack. Due to the diversity of threats associated with this campaign, victims should have their anti-malware software removing all Prowli infections during full system scans of the machine before changing their passwords.

Thanks to researchers, the public now has access to detailed analyses of how the Prowli campaign works and what its operational motivators are. Lamentably, these details also show that thousands of businesses and website owners, still, aren't implementing some of the most basic security practices.