Cyrpto-Me0wing, Not a Cute Kitty of the Internet

The internet has been the gateway to fame for many a cat, but the latest vulnerability in Drupal, the "Kitty" malware, has gained popularity for more nefarious reasons. The critical remote code execution (RCE) vulnerability is an attack variant piggybacking on the Drupalgeddon 2.0 exploit.

Researchers at Imperva reported a new technique in the crypto-jacking attack trend. "During the inspection of the attacks blocked by our systems, we came across the 'Kitty' malware, an advanced Monero cryptocurrency miner, utilizing a 'webminerpool,' an open source mining software for browsers," Imperva wrote.

Once executed, the Kitty script uses a backdoor independent of the Drupal vulnerability to establish control. A time-based job scheduler periodically re-downloads and executes a Bash script from a remote host so that the attacker can quickly make updates and changes to the infected servers. 

Nadav Avital, security research team leader at Imperva, explained that the Kitty malware works in two different directions: infecting the web server and infecting the web browsers. As a result, different detection and protection techniques are required.

Fixing the vulnerable code, applying a patch or using a virtual patch solution are different methods that can help prevent the infection from happening.

"In a web browser, detection can be achieved by monitoring the CPU consumption. However, since normal users don't usually run monitoring tools, it's harder for them to notice it. They can detect something is wrong when the CPU fan makes a lot of noise. This happens when the fan tries to cool the CPU from all the hard mining work," Avital said.

The Kitty malware is predominately being deployed for crypto-mining purposes, but Rod Soto, director of security research at JASK, said it’s important to note that vulnerabilities that affect CMS frameworks – like Drupalgeddon 2.0 – carry additional concerns. "The systems make up a significant portion of the internet and are prime candidates for botnet herding," said Soto.

Criminals are known to use botnets for crypto-mining, spam, identity theft, phishing, financial fraud, DDoS and more. "Even though the Kitty malware is simply lining bad actors’ pockets with cryptocoins at the moment, we should expect to see new variants of malware that exploit Drupalgeddon 2.0 to execute further attacks as well," Soto said.

What’s Hot on Infosecurity Magazine?