Old Drupal Vulnerability Exploited to Mine Cryptocurrency

Trend Micro discovered that a previously patched, critical vulnerability in versions 7 and 8 of Drupal is being exploited again, this time to mine the Monero cryptocurrency. The vulnerability, CVE-2018-7602 , is a remote code execution flaw that grants the threat actor elevated permissions to modify and delete Drupal content, and may allow the actor to exploit additional vulnerabilities. These attacks download a shell script that retrieves an Executable and Linkable Format-based (ELF) downloader. The ELF downloader establishes a task to keep itself updated and downloads the Monero-mining malware COINMINER_TOOLXMR.O-ELF64 - a variant of XMRig - through a script concealed as up.jpg. Once the malware runs, it changes its name to “[^$I$^].” Systems affected by this malware may experience a slowdown or increased fan activity. The NJCCIC highly recommends Drupal site owners and administrators review the Drupal security advisory, the NJCCIC’s previous alert on this vulnerability, and install the appropriate update as soon as possible.