An advanced cryptocurrency miner called Kitty has been observed exploiting the Drupal remote code execution vulnerability better known as Drupalgeddon 2.0 ( details here )
CVE-2018-7600 is exploited to deliver a Bash script to the target device. This script will then install a PHP file called ‘kdrupal’ containing a Base 64 encoded backdoor as well as register a cronjob to maintain persistence. Once this is done a variant of the XMrig Monero miner, referred to as kkworker, is installed.
Alongside mining cryptocurrency directly on the compromised server, Kitty will also attempt to distribute another mining script called me0w.js to any hosts that connect to the server.
It took us sometime to find any host’s to block for this one, but as a start it could be related to this :-
Muhstik is a botnet that uses compromised websites to launch distributed denial-of-service (DDoS) attacks and install cryptocurrency mining malware.
The threat actors are currently targeting and exploiting websites running vulnerable versions of the Drupal content management system. Over one million websites are potentially affected if left unpatched.
The Muhstik botnet exploits Drupal vulnerability (CVE-2018-7600), impacting versions 6,7, and 8 of Drupal’s CMS platform. “This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,” warned MITRE’s Common Vulnerabilities and Exposures bulletin on March 28.
When a server has been compromised, Muhstik downloads a scanning module and attempts to find other vulnerable hosts. It uploads any potential targets to Command and Control servers, which use Internet Relay Chat to issue commands.
Compromised servers are used to launch DDoS attacks and to mine the Bitcoin and Monero cryptocurrencies.
Muhstik is a variant of the Tsunami botnet. Its features include:
Xmrig to mine XMR cryptocurrency coins with a self-built mining pool
Cgminer to mine BTC cryptocurrency coins, using multiple mining pools, all with username reb0rn.D3
DDoS capability to attack networks at the owner’s command
Vulnerability scanner that utilizes 7 exploits to spread muhstick to other vulnerable servers
SSH Brute force scanning for gaining access to servers with weak passwords
IRC based Command and Control with 11 hard-coded URLs for communication
Hosts To Block
dash.viabtc.com ( Muhstik cgminer wallet and mining pool address )
18.104.22.168 AS16276 OVH SAS
22.214.171.124 AS16276 OVH SAS
126.96.36.199 AS16276 OVH SAS
188.8.131.52 AS16276 OVH SAS
184.108.40.206 AS16276 OVH SAS
220.127.116.11 AS16276 OVH SAS
18.104.22.168 AS16276 OVH SAS
22.214.171.124 AS4766 Korea Telecom #Not active now
126.96.36.199 AS16276 OVH SAS #Not active now
188.8.131.52 AS16276 OVH SAS
irc.de-zahlung.eu:9090 #Not active now
Drupal – All versions prior to 8.5.1/8.4.6/8.3.9/7.58
A vulnerability in multiple subsystems of Drupal could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
The vulnerability is due to an unspecified condition that exists in multiple subsystems of the affected software. An attacker could exploit this vulnerability by sending crafted input to the affected application on a targeted system. An exploit could allow the attacker to execute arbitrary code, which could result in a complete compromise of the affected Drupal site.
Drupal.org has confirmed the vulnerability and released software updates.
An attacker could achieve a successful exploit from multiple attack vectors on a targeted system. Systems running an affected version of Drupal with default and common module configurations are exploitable.
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to monitor affected systems.
Drupal.org has released a security advisory at the following link: sa-core-2018-002
Drupal.org has released software updates at the following links: