An advanced cryptocurrency miner called Kitty has been observed exploiting the Drupal remote code execution vulnerability better known as Drupalgeddon 2.0 ( details here )
CVE-2018-7600 is exploited to deliver a Bash script to the target device. This script will then install a PHP file called ‘kdrupal’ containing a Base 64 encoded backdoor as well as register a cronjob to maintain persistence. Once this is done a variant of the XMrig Monero miner, referred to as kkworker, is installed.
Alongside mining cryptocurrency directly on the compromised server, Kitty will also attempt to distribute another mining script called me0w.js to any hosts that connect to the server.
It took us sometime to find any host’s to block for this one, but as a start it could be related to this :-
This is not a font.
It’s #cryptojacking malware.
— Bad Packets Report (@bad_packets) 1 April 2018
Hosts To Block
Drupal Core – Versions 8.5.0 / 8.4.5 / 8.3.8 / 7.57 and earlier