Crypto Me0wing Attacks: Kitty Cashes in on Monero
(May 2, 2018)
Threat actors are still exploiting the Drupal platform vulnerability, known as “Dupralgeddon2.0” and registered as “CVE-2018-7600,” nearly one month after the vulnerability was addressed.In this instance, actors are exploiting Drupalgeddon2.0 to install a Monero cryptocurrency mining malware called “Kitty,” according to Imperva researchers. The Kitty cryptocurrency malware utilizes a publicly available web browser mining software called “webminerpool” and the “XMRig” CPU miner to mine Monero. In addition to being able to maintain persistence on a web server, Kitty is also capable of infecting visitors to websites hosted on compromised servers.
Recommendation: It is paramount that web server administrators maintain the software and apply security updates to avoid being targeted, especially after proof-of-concept code for an exploit is made available in open sources. Administrators should review Drupal’s Security Advisory, located here “https://www.drupal.org/sa-core-2018-002,” and apply the necessary update as soon as possible if it has not been applied already.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.