Prowli Malware Operation Infected Over 40,000 Servers, Modems, and IoT Devices
Named Prowli and discovered by the GuardiCore security team, this botnet is a diverse operation that relies on vulnerabilities and credentials brute-force attacks to infect and take over devices.
The following types of servers and devices have known to be infected by the Prowli group in recent months:
Furthermore, the Prowli group also operates an SSH scanner module that attempts to guess the username and password of devices that expose their SSH port on the Internet.
Once servers or IoT devices have been compromised, the Prowli group determines if they can be used for heavy cryptocurrency mining operations.
Those that can are infected with a Monero miner and the r2r2 worm, a malware strain that performs SSH brute-force attacks from the hacked devices, and helps the Prowli botnet expand with new victims.