Kitty Malware Targets Drupal Vulnerability to Mine Monero - Bitsonline

Kitty Malware Targets Drupal Vulnerability to Mine Monero

Researchers discovered a new Kitty malware that attacks Drupal websites to mine Monero. According to security researchers, the malware targets a Drupalgeddon 2.o vulnerability.

Also read: Bitcoin ABC Quickly Rectifies Bitcoin-ABC 0.17.0 Mining Flaw

Join the Bitsonline Telegram channel to get the latest Bitcoin, cryptocurrency, and tech news updates:

According to cybersecurity leader Imperva’s Incapsula, Drupal Content Management System (CMS) became the latest operating system to fall victim to cryptojacking. Earlier this year, a highly critical vulnerability was discovered on version 7.x and 8.x of Drupal CMS, which allowed attackers to gain complete control over affected websites.

With a Meow, Kitty Pounces on Monero

With the vulnerability, hackers can employ multiple attack vectors to completely compromise Drupal websites. It can embed crypto mining scripts, steal data, or even shut sites down.

Incapsula’s findings state:

“In a nutshell, the Drupalgeddon 2.0 vulnerability is caused by insufficient sanitation of arrays objects at Drupal’s core modules, which can be used as an entry point to remote execution of malicious code.”

Attackers have leveraged the vulnerability as a point of entry to deploy and base Kitty malware in Drupal setup files. Kitty malware uses an open source mining software – “webminerpool”, which is designed for browsers.

The researchers state “Once the Kitty bash script is executed, a PHP file named “kdrupal.php” is written to the infected server disc.”

Once infected, the Drupal vulnerability comes into play, allowing the attacker to establish a backdoor into the system. The malware is designed such that a time-based job scheduler executes the script at one-minute intervals, resulting in continuous infection. The feature also allows attackers to push updates to the Kitty malware.

Once the hacker has complete control over the server, a popular Monero miner “kkworker” commences the mining process. All the mined Monero is directly deposited into the digital wallet of the hacker.


An Organized Approach to Attacking Drupal Websites

The malware does not infect one server, but spreads to other web resources. According to Incapsula researchers:

“Gaining a single, strong mining server is great. The attacker, however, has much bigger plans – distributing the mining effort to the web app visitors. To do so, the attacker infects different web resources with a mining script – me0w.js. The attacker initially tries to alter the commonly used index.php file and add to it the malicious JavaScript me0w.js.”

Accordingly, the attacker will mine Monero from all visitors to the infected web server. To ensure the mining script does not get deleted, the attacker leaves a comments stating:

“printing ‘me0w, don’t delete pls I am a harmless cute little kitty, me0w’.”

The researchers suspect the attack is highly organized, as the first Kitty malware version was 1.5, with the new one 1.6. Similarly, as a software developer updates software to fix bugs, the attacker updates malware by adding new features to make the attack stronger.

Although it is not the first crypto mining malware to be developed, the approach of the attacker seems to be more organized and resilient. In March, Microsoft noted that the illegal mining of cryptocurrency was becoming an increasing threat.

Is cryptojacking one of the major threats in the computing world? Share your views in the comments section below.

Images via Pixabay

Subscribe to the Bitsonline YouTube channel for more great interviews featuring industry insiders & experts

Related News