Image by Gerd Altmann (Pixabay)

Security firm TrendMicro reveals that after a series of research, it found network attacks that target a vulnerability in the Drupal content management framework. The attacks seem to come from only one IP address and convert infiltrated systems into Monero-mining bots.

The malware attack can potentially change, or even delete, the content of any website running on Drupal, a free and open source content-management framework written in PHP and distributed under the GNU General Public License.

By attacking or exploiting the vulnerability — in this case, the CVE-2018-7602 — the malware can deploy Monero-mining bots into the system. The malware downloads a shell script and then retrieves an executable and linkable-based (ELF) downloader, which in turn brings in the Monero-mining malware and spreads itself into devices.

The Drupal security team was able to spot the CVE-2018-7602 vulnerability while looking into another vulnerability called Drupalgeddon 2 or CVE-2018-7600.

Monero Miners

The Trend Micro report says the Monero malware that found its way into the machine is the open-source XMRig (version 2.6.3), which has the ability to identify if the device is “to be compromised or not.”

Monero is a digital currency like Bitcoin but unlike the latter, it is private and transactions are untraceable.

When it goes to work, the Monero miner will apply its deceiving tactics by changing its process to [^$I$^] and gives it access to file file /tmp/dvir.pid. The security firm advises IT administrators to be wary of this red flag when doing security checks and installing preventive software into the system.

Trend Micro calls the attacks “notable” because it deceptively hides behind the Tor network, a free software that allows users to communicate without leaving a trace. The security firm later found out that the IP segment was traced to a virtual private network provider and that the IP address is actually a Tor exit node “or gateways from where encrypted Tor traffic is passed to normal internet traffic.”

Patch, patch, patch

Interestingly, Trend Micro said it was able to block 810 attacks in the past month alone from the IP address but added: “Given that it’s a Tor exit node, we are not certain if these attacks are related to the Monero-mining payload or are from a single threat actor.”

it also discovered that there were attacks coming from the IP address that exploit Heartbleed and ShellShock, “an information disclosure vulnerability in WEB GoAhead, and a memory leak flaw in Apache.”

The malware can detect security flaws even from the year 2014 and uses it as the gateway to launch the attacks.

Trend Micro also advises IT administrators to never neglect regular patching and practice security by design. Most importantly, the organizations’ security professionals must meticulously secure applications containing sensitive corporate data to avoid and to prevent any breach. Mulitple security layers can discourage hackers from targeting a system.

Most organizations now have learned to apply a more proactive approach by applying security software that can monitor unusual behaviors in the system and thwart any imminent attack.