According to researchers from Imperva’s Incapsula, Kitty is the latest malware to attack the Drupal content management system (CMS) for the purpose of cryptojacking.
It has been just over a month since the Drupalgeddon 2.0 (CVE-2018-7600) exploit was published. The vulnerability, deemed “highly critical,” is a remote code execution bug present in Drupal versions 7.x and 8.x.
The vulnerability allows threat actors to employ various attack vectors to compromise Drupal websites. Scanning, backdoor implementation, and cryptocurrency mining are all possible, as well as a data theft and account hijacking.
Drupalgeddon 2.0 is caused by insufficient sanitation of arrays objects at Drupal’s core modules, which allows for remote code execution. This vulnerability has become an entry point for other forms of malware to take root in Drupal setups, including the Kitty malware.
What makes Kitty different is that it is not only the internal network, server, and website itself which may be compromised to mine cryptocurrency, but the malware also targets visitors to compromised domains.
Kitty, a Monero cryptocurrency which utilizes open-source mining software for browsers, executes a bash script, kdrupal.php, which is written to an infected server disc. This then establishes a backdoor into an infected system separate from the Drupal vulnerability.
A scheduler then periodically re-downloads and executes the script every minute, which not only results in persistent infection but also allows attackers to push updates to the Kitty malware and infected servers quickly.
When the server is firmly under the attacker’s control, the “kkworker” Monero cryptocurrency miner is then installed and executes. Any cryptocurrency mined through the stolen power of the server is then sent to a wallet belonging to the threat actor.
However, one server is not enough, it seems. The malware is also commanded to infect other web resources with a mining script dubbed me0w.js.
“In doing so, the attacker infects any future visitor on the infected web server sites to mine cryptocurrency for his disposal,” the researchers note. “Lastly, to win over kitty lovers’ hearts, the attacker cheekily asks to leave his malware alone by printing ‘me0w, don’t delete pls i am a harmless cute little kitty, me0w’.”
This is not the first time the Monero mining address used in Kitty has been spotted. At the start of April, attacks targeting web servers running the vBulletin 4.2.X CMS also implemented Kitty through compromised vBulletin web servers.
Whenever Kitty is updated, the operator adds a new version note. The first variant discovered was version 1.5, and the latest miner is version 1.6.
“This type of behavior can be an indication of an organized attacker, developing their malware like a software product, fixing bugs and releasing new features in cycles,” the researchers added.