Akamai’s experts have found that hackers continue to target the Drupal flaw called Drupalgeddon2 to install malware onto systems that can’t be fixed.

Drupal versions 6, 7 and 8 were affected by the security flaw, tracked as CVE-2018-7600. The bug was highlighted in March 2018, and the first attacks that targeted it was discovered only a couple of weeks later, striving to install malicious programs such as crypto-miners and backdoors.

Now, Akamai security researcher Larry W. Cashdollar discloses that the flaw continues to be targeted in a lately detected malicious drive where attackers attempt to run code rooted in a .gif file.

While it’s not widespread, the campaign seems to be targeting an extensive range of high-profile websites, without a focus on a particular industry.

One of the examined .gif files was hosted on an affected bodysurfing website situated in Brazil. The file comprises obscured PHP code designed to decipher base64-encoded malware stored in a variable.

The researcher revealed that the malware could skim credentials stored in local files, send email with the exposed credentials, swap the local .htaccess file, display MySQL my.cnf configuration files, perform a remote file, display system information, retitle files, upload files, and carry out a web shell.

The threat can carry out distributed denial-of-service (DDoS) attacks, but also works as a remote access Trojan (RAT). It can link to a now obsolete IRC server and join a particular channel to receive commands.

Functionality comprised in the malware lets it collect information from the local system, providing attackers with complete control over it while supporting an SQL flood command.

“This piece of code has been widely shared and modified by the criminal Internet underground,” Cashdollar says.

The new campaign underscores once again the significance of upholding a good security hygiene, which also involves repairing in a timely manner.

“Maintaining patches in a timely fashion, as well as properly decommissioning servers if they’re no longer being used is the best preventative measure that administrators and security teams can take,” the researcher concludes.

Leave a Reply

Your email address will not be published. Required fields are marked *