An ongoing malware campaign that attempts to exploit web servers susceptible to the Drupalgeddon 2.0 bug in order to infect them with an XMRig-based cryptominer has generated around $11,000 in profits since commencing last April and peaking on May 20.
A July 6 blog post by Akamai's threat research team reports that the cryptojacking operation, which it calls DrupalGangster, uses the vulnerability designated as CVE-2018-7600 to perform remote command injection attacks for the purpose of creating a botnet of web servers that mines Monero while simultaneously recruiting additional vulnerable hosts.
"We can see that the activity started with a relatively small number of IPs in low volume and increased dramatically," writes researchers and blog post authors Moshe Zioni and Yossef Daya. "We can assume that the attacker had a pre-prepared data set of vulnerable hosts that he attacked. The hosts that were protected and patched were presumably not harmed. Others that were successfully compromised fell under the attacker's control and began participating in the attack. That may explain the increasing number of IPs."
Akamai assess that essentially all the attacks were generated from multiple hosting providers. "This indicates that the attacker distributed the malware sporadically on different servers, probably infecting them by exploiting [the] Drupal vulnerability," the blog post further reports. The highest number attack requests originated from hosts located in the U.S. (119,157), followed by France (109,359).
A patch for Drupalgeddon 2.0, an RCE vulnerability was developed last March, but attackers continue to take advantage of web server operators who have failed to implement it.
According to Akamai, the attack begins when a malicious IP attempts a command injection on its target by sending a request with a malicious script designed to exploit Drupalgeddon 2.0. After a successful exploitation, the script drops an XMRig miner (either XMRig/2.6.0-beta2 or lukMiner v0.10.7), which connects to a pool service called Dwarfpool. But it also drops a secondary script called "scrape2.py", which provides a list of additional list of vulnerable hosts. The malware then goes on to attempt to exploit those targets and grow the botnet.
Akamai says that roughly 3,600 of its own customers' sites were targeted in the campaign, but all of the attacks were mitigated.