Kitty cryptominer targets web app servers, then spreads to app users

News by Bradley Barth

Cat got your tongue? It also might be stealing your computer processing power, in order to mine Monero coins. A newly uncovered, sophisticated cryptojacking malware nicknamed Kitty is attempting to infect web application servers.

Cat got your tongue? It also might be stealing your computer processing power, in order to mine Monero coins.

According to researchers at Imperva, a newly uncovered, sophisticated cryptojacking malware nicknamed Kitty is attempting to infect web application servers by exploiting the recently discovered Drupalgeddon 2.0 remote code execution vulnerability that was patched last March. But what makes this malicious miner stand out among its brethren is that after compromising the server, it seeks to infect future users of the apps running on the server.

In a 2 May company blog post, Imperva researchers Nadav Avital, Matan Lion and Ron Masas explain that following a successful exploitation, Kitty's first step is to use a webminerpool - an open-source mining software for browsers - to execute a bash script that writes a malicious PHP backdoor file named “kdrupal.php” to in the infected server disc. This helps establish persistence by installing a backdoor that does not rely on the Drupal exploit in order to remain effective.

Moreover, the malicious script is repeatedly downloaded from a remote host every minute, so that the compromised server can be re-infected or updated at any time.

Once persistence is established, the malware installs the final payload in the form of the miner program "kkworker," better known as the XMRig Monero miner. It's at this point where Kitty starts to behave especially, well, catty.

Imperva reports that Kitty spreads from the compromised server to the machines of users who visit the web app sites, by infecting various web sources with a second mining script named named "me0w.js." Written in JavaScript, me02.js is an open-source miner program found on Github, with some minor modifications.

"The attacker initially tries to alter the commonly used index.php file and add to it the malicious JavaScript me0w.js," the blog post explains. They then scan for all JavaScript files on the server and, once found, inject the same malicious me0w.js file..."

As an adorable extra flourish, the malware's author has also included a message in the script code that reads:  "me0w, don't delete pls i am a harmless cute little kitty me0w."

Imperva further reports that the Monero address used by Kitty was spotted in early April 2018, and is linked to attacks targeting web servers running the vBulletin 4.2.X content management system (CMS).

The Drupalgeddon 2.0 vulnerability (CVE-2018-7600) that makes Kitty's initial infection possible is an RCE flaw that exists within multiple subsystems of unpatched versions of Drupal 6.x (obsolete), 7.x and 8.x.

“...It's important to note that vulnerabilities that affect CMS frameworks - like Drupalgeddon 2.0 - are particularly concerning because the systems make up a significant portion of the internet and are prime candidates for botnet herding," said Rod Soto, director of security research at SOC services provider JASK, in emailed comments. 

"Botnets, as history has shown us, are a fundamental tactic used by bad actors for criminal activity and a main profit driver for the cyber-crime underground – as they can be used for cryptomining, spam, identity theft, phishing, financial fraud, DDoS and more. So, even though the Kitty malware is simply lining bad actors' pockets with cryptocoins at the moment, we should expect to see new variants of malware that exploit Drupalgeddon 2.0 to execute further attacks as well.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events