Kitty Cryptocurrency Miner
An advanced cryptocurrency miner called Kitty has been observed exploiting the Drupal remote code execution vulnerability better known as Drupalgeddon 2.0 ( details here )
CVE-2018-7600 is exploited to deliver a Bash script to the target device. This script will then install a PHP file called ‘kdrupal’ containing a Base 64 encoded backdoor as well as register a cronjob to maintain persistence. Once this is done a variant of the XMrig Monero miner, referred to as kkworker, is installed.
Alongside mining cryptocurrency directly on the compromised server, Kitty will also attempt to distribute another mining script called me0w.js to any hosts that connect to the server.
The attacker initially tries to alter the commonly used index.php file and add to it the malicious JavaScript me0w.js,” a blog post explains. They then scan for all JavaScript files on the server and, once found, inject the same malicious me0w.js file.
It took us sometime to find any host’s to block for this one, but as a start it could be related to this :-
This is not a font.
It’s #cryptojacking malware.IoCs
allfontshere[.]press/fonts/courier[1-6].js
31.187.64.216Example site: https://t.co/H7ub8xCV6e pic.twitter.com/IRvwCZSwqC
— Bad Packets Report (@bad_packets) 1 April 2018
Hosts To Block
31.187.64.216
www.allfontshere.press
Affected Platforms
Drupal Core – Versions 8.5.0 / 8.4.5 / 8.3.8 / 7.57 and earlier
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.