Kitty malware gets its claws into Drupal websites to mine Monero

Websites running vulnerable versions of the Drupal content management system are being targeted by the latest incarnation of the Kitty malware family.

Security researchers at Incapsula report that Kitty is attempting to hijack servers using the highly critical Drupalgeddon 2.0 remote code execution exploit (CVE-2018-7600), which was made public at the end of March and exists in many versions of of Drupal 7.x and 8.x.

As the researchers explain, Kitty is unusual because of how it distributes its Monero cryptocurrency-mining code. It compromises internal networks and web application servers as well as hijacks the browsers of visiting web visitors.

Kitty avails itself of open-source mining code to take advantage of visiting browsers, installs a backdoor on infected systems, and contains an automatic updating routine that allows remote hackers to easily push out updates.

The malware is commanded by a mining script named me0w.js.

Embedded within the malware is a message that continues the feline theme:

me0w, don’t delete pls i am a harmless cute little kitty, me0w

Last month, the Kitty malware was discovered targeting web servers running vulnerable versions of the vBulletin CMS. In that case, the attack exploited a vulnerability to embed malicious code posing as a script to load fonts into websites.

That attack, and this latest involving Drupal, underlines the importance of properly maintaining website content management systems with tight security and regular automated updates.

Drupal has warned that it’s not enough to simply update your CMS on affected web servers, as that won’t remove any backdoors that may have been put in place by attackers or fix any unauthorised modifications that have been made to a site. For this reason, it’s a good idea to update Drupal as soon as possible and *then* explore whether the site was compromised (Read more...)