This Kitty malware does not only try to infect, and target web servers and its visitors. They also have a keen sense of humor by leaving a cheeky note for cat lovers.
Unfortunately, this is not the first instance Kitty has been seen in the computer world. But this time, its latest version is targeting Drupal websites to mine cryptocurrency.
According to researchers from Imperva’s Incapsula, Kitty is the latest malware to attack the Drupal content management system (CMS) for the purpose of cryptojacking.
Not so long ago, the Drupalgeddon 2.0 (CVE-2018-7600) exploit was published. The vulnerability, deemed “highly critical,” is a remote code execution bug present in Drupal versions 7.x and 8.x.
The above mentioned Drupalgeddon 2.0 vulnerability allows various schemes, tactics and attack vectors to compromise Drupal sites. A few of them include scanning, backdoor implementation, and cryptocurrency mining are all possible, as well as a data theft and account hijacking.
According to the Drupalgeddon 2.0 (CVE-2018-7600), it is caused by insufficient sanitation of arrays objects at Drupal’s core modules. In turn, this allows for remote code execution. Thus, making this vulnerability to become an entry point for other forms of malware to take root in Drupal setups, including the Kitty malware.
Now, where does this new Kitty malware do and why is it different?
It is that it is not only the internal network, server, and website itself which may be compromised to mine cryptocurrency, but the malware also targets visitors to compromised domains. How very convenient for the developers, more the merrier for them.
Kity has been designed to be a Monero open-source cryptocurrency mining software for browsers. It runs a bash script kdrupal.php, which is written into an infected server disc. Once done, it establishes a backdoor into an infected system separate from the Drupal vulnerability.
Kitty is thorough and persistent. A scheduler then periodically re-downloads and executes the script every minute, which not only results in persistent infection but also allows attackers to push updates to the Kitty malware and infected servers quickly.
The server once under the malware developers control, “kkworker” Monero cryptocurrency miner is then installed and executes. Conveniently enough, anything mined is then sent to the developers.
And here is a minor twist, the Kitty malware is not content in just infecting one server. It tries every avenue it can to infect other web resources it can get a hold of with a mining script dubbed me0w.js.
It basically wants to tamper with the index.php file on the server. In which case this is a very common file in CMS website setups. Once it is able to do so, it then adds it to the meow.js script. And succeeding JavaScript-based files are then scanned and added to the mining list.
“In doing so, the attacker infects any future visitor on the infected web server sites to mine cryptocurrency for his disposal,” the researchers note. “Lastly, to win over kitty lovers’ hearts, the attacker cheekily asks to leave his malware alone by printing ‘me0w, don’t delete pls i am a harmless cute little kitty, me0w’.”
This is not the first time the Monero mining address used in Kitty has been spotted. At the start of April, attacks targeting web servers running the vBulletin 4.2.X CMS also implemented Kitty through compromised vBulletin web servers.
Whenever Kitty is updated, the operator adds a new version note. The first variant discovered was version 1.5, and the latest miner is version 1.6.
This would not just be a simple attack. It is pretty much what we can describe as a software product. They are more organized like a business entity. They fix bugs and release new featured updates which they include in their latest versions. At this rate, it is more alarming since we can call it a cryptomining syndicate.
=====
Was this helpful?
As we value quality over quantity, we have focused our unified I.T. services to Small and Medium businesses only to Arizona specifically in Phoenix, Scottsdale, Glendale Metro areas.
Our technicians are available the very instant you call us; thereby, ensuring no interruption of your usual business operations. In case you can’t access our contact page, our phone support is always available to cater to your calls. Just give us a ring at 480-464-0202
