Researchers discovered a new Kitty malware that attacks Drupal websites to mine Monero. According to security researchers, the malware targets a Drupalgeddon 2.o vulnerability.
According to cybersecurity leader Imperva’s Incapsula, Drupal Content Management System (CMS) became the latest operating system to fall victim to cryptojacking. Earlier this year, a highly critical vulnerability was discovered on version 7.x and 8.x of Drupal CMS, which allowed attackers to gain complete control over affected websites.
With the vulnerability, hackers can employ multiple attack vectors to completely compromise Drupal websites. It can embed crypto mining scripts, steal data, or even shut sites down.
Incapsula’s findings state:
“In a nutshell, the Drupalgeddon 2.0 vulnerability is caused by insufficient sanitation of arrays objects at Drupal’s core modules, which can be used as an entry point to remote execution of malicious code.”
Attackers have leveraged the vulnerability as a point of entry to deploy and base Kitty malware in Drupal setup files. Kitty malware uses an open source mining software – “webminerpool”, which is designed for browsers.
The researchers state “Once the Kitty bash script is executed, a PHP file named “kdrupal.php” is written to the infected server disc.”
Once infected, the Drupal vulnerability comes into play, allowing the attacker to establish a backdoor into the system. The malware is designed such that a time-based job scheduler executes the script at one-minute intervals, resulting in continuous infection. The feature also allows attackers to push updates to the Kitty malware.
Once the hacker has complete control over the server, a popular Monero miner “kkworker” commences the mining process. All the mined Monero is directly deposited into the digital wallet of the hacker.
The malware does not infect one server, but spreads to other web resources. According to Incapsula researchers:
Accordingly, the attacker will mine Monero from all visitors to the infected web server. To ensure the mining script does not get deleted, the attacker leaves a comments stating:
“printing ‘me0w, don’t delete pls I am a harmless cute little kitty, me0w’.”
The researchers suspect the attack is highly organized, as the first Kitty malware version was 1.5, with the new one 1.6. Similarly, as a software developer updates software to fix bugs, the attacker updates malware by adding new features to make the attack stronger.
Although it is not the first crypto mining malware to be developed, the approach of the attacker seems to be more organized and resilient. In March, Microsoft noted that the illegal mining of cryptocurrency was becoming an increasing threat.
Is cryptojacking one of the major threats in the computing world? Share your views in the comments section below.
Images via Pixabay
Subscribe to the Bitsonline YouTube channel for more great interviews featuring industry insiders & experts