Kitty Cryptocurrency Miner

An advanced cryptocurrency miner called Kitty has been observed exploiting the Drupal remote code execution vulnerability better known as Drupalgeddon 2.0 ( details here )

CVE-2018-7600 is exploited to deliver a Bash script to the target device. This script will then install a PHP file called ‘kdrupal’ containing a Base 64 encoded backdoor as well as register a cronjob to maintain persistence. Once this is done a variant of the XMrig Monero miner, referred to as kkworker, is installed.

Alongside mining cryptocurrency directly on the compromised server, Kitty will also attempt to distribute another mining script called me0w.js to any hosts that connect to the server.

The attacker initially tries to alter the commonly used index.php file and add to it the malicious JavaScript me0w.js,” a blog post explains. They then scan for all JavaScript files on the server and, once found, inject the same malicious me0w.js file.

It took us sometime to find any host’s to block for this one, but as a start it could be related to this :-

Hosts To Block

Affected Platforms

Drupal Core – Versions 8.5.0 / 8.4.5 / 8.3.8 / 7.57 and earlier

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: