Operation Prowli Malware

An advanced malware campaign known as Operation Prowli has been observed targeting a variety of systems worldwide. Vulnerable platforms include content management systems (CMS), IoT devices and modems; with financial, industrial and governmental organisations affected worldwide.

The attackers behind Operation Prowli are focused on making money from their efforts rather than ideology or espionage.  The first source of revenue comes from cryptocurrency mining. Typically, cryptocurrency mining is considered a resource-heavy operation that involves a large upfront investment followed by ongoing traffic and energy costs. The attackers behind Prowli incur no expenses when they use r2r2 to take over computers owned by others and use mining pools to launder their gains.

Second source of revenue is traffic monetization fraud. Traffic monetizers, such as roi777, buy traffic from “website operators” such as the Prowli attackers and redirect it to domains on demand. Website “operators” earn money per traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more.

The attackers behind Operation Prowli use a wide variety of bespoke malware tools and exploits to compromise systems. A worm called r2r2 is used to scan for systems with publicly reachable SSH ports and performs brute-force attack against them to gain access. It will then download and install a variant of the XMRig cryptocurrency miner before scanning for new targets.

Manual attacks are performed against CMS servers with the intention of re-purposing them to serve malicious files to users. Different payloads are delivered depending on the type of device visiting the compromised websites. Affected servers will also be used in malvertising, SEO fraud and traffic redistribution campaigns.

Further details regaing this can be found here – https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/

Domain’s / IP’s To Block


stats.startreceive[.]tk (traffic redirection)

wp.startreceive[.]tk (C&C)



Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.