articleStartImage

Hackers’ fascination with Monero doesn’t appear to be slowing down. As servers barely begin to recover from the onslaught of exploits that mined Monero using their processors, another remote code execution vulnerability is attacking systems running Drupal.

The researchers at Help Net Security that discovered it gave it the moniker “Kitty” due to the fact that the malware is delivered from a folder with this name. Don’t let the cute name fool you: This exploit injects code into the server that would continue to work even if the administrator removes Drupal from it.

“Once the Kitty bash script is executed, a PHP file named kdrupal.php is written to the infected server disc. In doing so, the attacker reinforces their foothold in the infected server and guarantees dominance using a backdoor independent of the Drupal vulnerability,” the company wrote in its report.

The script first authenticates the attacker, making sure no one else can access its functions. Then, it registers a scheduled service that repeatedly downloads and executes a script to ensure that the server remains infected.

“Once the attacker gets a persistent hold of the server, a mining program ‘kkworker,’ which is the well-known XMRig Monero miner, is installed and starts the mining process,” the company added.

Kitty isn’t done yet, though.

It might have control of a powerful server to do its bidding, but Kitty is a greedy creature. The attack also involves a mining script, labeled “me0w.js,” which injects itself into every JavaScript file on the server imaginable.

Inside the script, we also can see code that uses visitors’ CPUs to mine Monero to the hacker’s wallet.

Further in the code, we can also find a statement from the hacker that reads, “don’t delete pls i am a harmless cute little kitty.”

Help Net Security responded to this finding with, “Good thing we’re dog people.”

It bears mentioning that this particular exploit is a variant on the “Drupalgeddon 2.0” series of attacks, in which over 300 servers running Drupal—including sites like the San Diego Zoo and the government of Chihuahua, Mexico—were forced to mine Monero for a hacker.