CryptoMode Operation Prowli Malware

Using cryptocurrency malware has been a popular trend among cybercriminals for quite some time now and it now seems a new cryptocurrency mining malware, dubbed as Operation Prowli, is causing a lot of problems for alt-asset holders all over the world.

Cryptocurrency Mining Malware Remains Popular

According to Guardicore, Operation Prowli is well worth keeping an eye on but not for the right reasons, as this malware campaign has successfully infected 40,000 computers and servers all over the world in the past few weeks.

As one would expect from such a campaign, the main goal is to infect the target machines and hijack their computing resources to mine cryptocurrencies.

It seems Operation Prowli is quite versatile in many different ways as its attack vectors range from password brute-forcing to exploiting weak security configurations. Additionally, the cryptocurrency mining malware doesn’t target one specific industry either. It has been discovered on various CMS servers, backup servers, IoT devices, and DSL modems.

Malware Details

So far, it seems like all of the havoc has been caused by a worm virus known as ‘r2r2’. This malware was identified through monitored SSH attacks communicating with a command and control server, all of whom requested the same payload from the central server.

Additionally, the attacks have also been found to download a cryptocurrency mining protocol secretly in the background.

Monetizing such a global cryptocurrency mining malware campaign poses different challenges. The team responsible for launching Operation Prowli mainly focuses on the mining of Monero, which will not come as a big surprise. Additionally, the “toolkit” also relies on traffic monetization fraud by buying traffic and redirecting it to domains on demand. It is a very complex business model which also goes to show how crafty cybercriminals are getting in this regard.

Final Thoughts

It seems as though it will be incredibly difficult to put a halt to Operation Prowli even though it is clear that a centralized command and control server needs to be shut down to eliminate the malware. However, it is still not certain if backup servers are lurking in the shadows and given the vast array of services that the malware seems to attack, predicting future targets will also be incredibly difficult.


Looking to advertise? We will gladly help spread the word about your project, company, or service. CryptoMode produces high quality content for cryptocurrency companies. We have provided brand exposure for dozens of companies to date, and you can be one of them. All of our clients appreciate our value/pricing ratio. Contact us if you have any questions: [email protected]