Hackers are now exploiting the Drupal vulnerability to serve up Monero-mining malware

Cybercriminals are currently leveraging the Drupal vulnerability to serve up Monero-mining malware. The new network attacks are aimed at turning the affected systems into Monero-mining bots.

According to security researchers at Trend Micro, who discovered the new Drupal attacks, the hackers are using the Tor network to evade detection.

Although the attacks are currently infecting systems with performance-slowing and resource-stealing malware, researchers noted the Drupal vulnerability could be used by hackers as a “doorway” to inject other cyberthreats.

The Drupal vulnerability is a remote code execution flaw that affects Drupal versions 7 and 8. The flaw was preceded by yet another vulnerability called Drupalgeddon 2. Although both vulnerabilities have already been patched, not all users have implemented the fixes.

In the latest attacks exploiting the Drupal vulnerability, a shell script is downloaded, which in turn drops a downloader that installs a Monero miner on the infected system.

“The Monero miner installed in the machine is the open-source XMRig (version 2.6.3). It also checks if the machine is to be compromised or not. When the miner starts to run, it changes its process name to [^$I$^] and accesses the file /tmp/dvir.pid,” Trend Micro researchers wrote in a blog. “This is a red flag that administrators or information security professionals can take into account to discern malicious activities, such as when deploying host-based intrusion detection and prevention systems or performing forensics.”

Trend Micro researchers said that the hackers took efforts to elude detection by hiding behind the Tor network. However, the researchers were able to track the malware’s footprints to an IP address, which likely belongs to a VPN provider.

“We found that the IP address is a Tor exit node — gateways from where encrypted Tor traffic is passed to normal internet traffic. Given that it’s a Tor exit node, we are not certain if these attacks are related to the Monero-mining payload or are from a single threat actor,” Trend Micro researchers added.