New Kitty malware mines Monero cryptocurrency

Cybersecurity experts at Incapsula Imperva have discovered a new malware that attacks the Drupal content management system in order to illegally mine the Monero cryptocurrency.

In addition, the program sends ironic messages to its victims: “meow, don’t delete me, I’m a harmless, cute little kitten.” The Kitty virus appeared a month after the publication of the Drupalgeddon 2.0 exploit. A remote code execution vulnerability in Drupal 7.x and 8.x versions allows hackers to use multiple attack methods to penetrate Drupal sites. Once sites are compromised, scammers can bypass security systems, mine cryptocurrency, and steal accounts and data.

“While reviewing attacks blocked by our security systems, we discovered the Kitty malware, which mines cryptocurrency Monero "webminerpool", open source mining software for browsers. After executing the Kitty script, a file named “kdrupal.php” is written to the infected server. In this way, the attacker strengthens his position on the infected server and guarantees dominance using a tool to bypass the system, regardless of Drupal’s vulnerability.”

Kitty’s uniqueness is that it not only compromises the server, the internal network and the website itself, but also visitors to infected domains. The malware will first try to rewrite the index.php file in the content management system site settings and include it in the me0w.js script. Once added, JavaScript-based files are verified and sent to the mining queue. At the same time, the virus spreads to any future visitor to the infected web server sites.

Previously, we also reported on an interesting conversation between Timofey Zhannin, the developer of the ApiLeap screenshot API and a cryptocurrency scammer, who not only advised Zhannin to update the domain security, but also asked for a job, convinced that he could violate the security protocol. There was also a hacker who targeted the LA Times to mine digital currency using the electronic devices of visitors to the newspaper's website. He left a message advising developers to fix the vulnerability “before the bad guys find out about it.” Scammers seem to like to leave their victims goodbye letters.

According to https://cryptovest.com