articleStartImage

It seems crypto jackers are getting into the habit of leaving cheeky notes to their victims.

Researchers at Imperva's Incapsula said a new piece malware called Kitty leaves a note for cat lovers. It attacks the Drupal content management system (CMS) to illegally mine cryptocurrency Monero.

A part of the blog post reads:

"Lastly, to win over kitty lovers' hearts, the attacker cheekily asks to leave his malware alone by printing 'me0w, don't delete pls i am a harmless, cute little kitty, me0w'."

The discovery of the Kitty malware came a month after the publication of the Drupalgeddon 2.0 exploit. A remote code execution vulnerability in Drupal versions 7.x and 8.x allows hackers to use several attack methods to infiltrate Drupal websites. Once the sites are compromised, crypto jackers can scan, conduct backdoor implementation and mine cryptocurrency, hijack accounts, and steal data.

The researchers added:

“During the inspection of the attacks blocked by our systems, we came across the ‘Kitty’ malware, an advanced Monero cryptocurrency miner, utilizing a ‘webminerpool’, an open source mining software for browsers. Once the Kitty bash script is executed, a PHP file named ‘kdrupal.php’ is written to the infected server disc. In doing so, the attacker reinforces their foothold in the infected server and guarantees dominance using a backdoor independent of the Drupal vulnerability.”

What makes Kitty unique is that it does not only compromise the server, internal network, and the website itself but also the visitors of the infected domains. The malware will first try to rewrite the index.php – a very common file in CMS website setups – and include it in the me0w.js script. Once added, the JavaScript-based files are scanned and sent to the mining list.

"In doing so, the attacker infects any future visitor on the infected web server sites to mine cryptocurrency for his disposal," Incapsula pointed out.

Cheeky crypto jackers

On Wednesday, we reported about an interesting conversation between Timothée Jeannin, a developer at screenshot API service provider ApiLeap, and a crypto jacker who not only advised Jeannin to update domain security but also asked for a job, apparently gaining confidence from the fact that he was able to breach the security protocol.

There was also the hacker who attacked the LA Times to mine digital currencies using the electronic gadgets of visitors to the newspaper website. He left a cheeky note telling the developers to fix their vulnerability “before a bad guy finds it.”