CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hackers Exploit Drupal Flaw for Monero Mining

Network attacks exploiting a recently patched Drupal vulnerability are attempting to drop Monero mining malware onto vulnerable systems, Trend Micro reports.

Network attacks exploiting a recently patched Drupal vulnerability are attempting to drop Monero mining malware onto vulnerable systems, Trend Micro reports.

Tracked as CVE-2018-7602 and considered a highly critical issue that could result in remote code execution, the vulnerability impacts Drupal’s versions 7 and 8 and was addressed in April this year.

The flaw is dubbed Drupalgeddon3 and the patch for it only works if the fix for the original Drupalgeddon2 vulnerability (CVE-2018-7600) has been applied.

Last month, hackers were observed targeting both security vulnerabilities to deliver a variety of threats, including cryptocurrency miners, remote administration tools (RATs) and tech support scams.

Trend Micro now says they noticed network attacks exploiting CVE-2018-7602 to turn affected systems into Monero-mining bots. As part of the observed incidents, the exploit fetches a shell script that retrieves an Executable and Linkable Format-based (ELF) downloader.

The malware adds a crontab entry to automatically update itself and also retrieves and installs a Monero-mining
application, a modified variant of the open-source XMRig (version 2.6.3). The use of XMRig is a feature common to most attacks attempting to mine for Monero.

The downloader also checks the target machine to determine whether it is worth compromising.

When executed, the mining application changes its process name to [^$I$^] and accesses the file /tmp/dvir.pid, Trend Micro says.

Advertisement. Scroll to continue reading.

“This is a red flag that administrators or information security professionals can take into account to discern malicious activities, such as when deploying host-based intrusion detection and prevention systems or performing forensics,” the security firm notes.

The actors behind this attack hide behind the Tor network, but Trend Micro says they were able to trace the activity to 197[.]231[.]221[.]211, an IP belonging to a virtual private network (VPN) provider. This IP address is a Tor exit node.

Over the past month, the security firm has blocked 810 attacks coming from this IP address, but cannot confirm that they were all related to the Monero-mining payload or performed by the same actor.

Most of the attacks attempt to exploit the Heartbleed vulnerability (CVE-2014-0160), while others target ShellShock (CVE-2014-6271), a flaw in WEB GoAhead (CVE-2017-5674), and an old memory leak in Apache (CVE-2004-0113).

“Trend Micro also blocked File Transfer Protocol (FTP) and Secure Shell (SSH) brute-force logins from this IP address. Note that these attacks exploit even old Linux or Unix-based vulnerabilities, underscoring the importance of defense in depth,” the security researchers warn.

Patched Drupal installations should be safe from the recent attacks and site admins are advised to apply the available patches as soon as possible, to ensure their systems remain secure.

Related: Hacked Drupal Sites Deliver Miners, RATs, Scams

Related: Drupal Patches New Flaw Related to Drupalgeddon2

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.