Researchers from Akamai uncovered a new campaign targeting the Drupalgeddon2 vulnerability to deliver malware.
Drupalgeddon2 is a “highly critical” vulnerability that affects Drupal 7 and 8 core, it could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.
The Drupal development team has fixed the vulnerability in March 2018, but hackers continue to target Drupalgeddon2 in the wild.
The campaign recently discovered by Cashdollar sees the attackers attempting to run malicious code embedded in a .gif file.
The expert explained that the campaign is currently not widespread, it is targeting a broad range of high profile websites.
“I observed an attack that is designed to run code that is embedded inside a .gif file. While embedding code in image file isn’t a new attack method, I haven’t seen this method in quite some time.” reads the analysispublished by Cashdollar.
“The attack traffic doesn’t appear to be widespread at this time, nor does it appear to be specifically targeting a single industry vertical. Currently, the attack traffic seems to be directed towards a random assortment of high profile websites. The code I will be examining is embedded in the file index.inc.gif, which appears to be hosted on a compromised bodysurfing website located in Brazil.”
One of .gif files analyzed by the experts was hosted on a compromised bodysurfing website located in Brazil. The file contained obfuscated PHP code designed to decode base64-encoded malware that was stored by threat actors in a variable.
“The commands clean up any previous installations and then replace any .htaccess configurations with versions that have less restrictive settings.” continues the analysis. Then two different files are downloaded and then executed. The first, index.inc.gif, contains obfuscated PHP code. It contains a GIF header, but the rest of the file is PHP code obscured using gzip compression, rot13, and base64 encoding.”
The malware supports several functions, such as scanning local files for credentials, sending email with the discovered credentials, replacing the local .htaccess file, displaying MySQL my.cnf configuration files, execute a remote file that is gz compressed and base64 encoded, showing system information, renaming files, uploading files, and launching a web shell.
The campaign also delivers a piece of malware stored in a .txt containing a Perl script that leverages Internet Relay Chat (IRC) for command and control (C&C) communication. The malware implements common RAT features and is also able to launch distributed denial-of-service (DDoS) attacks.
The malware also implements functionalities to gather information from the local system and to control infected systems, it also supports a SQL flood command. The fact that attackers are still exploiting the Drupalgeddon2 flaw highlights the importance of patch management in enterprises.
“Critical vulnerabilities will be targeted, even if their public disclosure date is over a year old. When the vulnerability’s exploitation is simple, which is the case with Drupalgeddon2, attackers will automate the process of scanning, exploitation, and infection when there are poorly maintained and forgotten systems.” Cashdollar concludes. “This creates a problem for enterprise operations and web administrators, as these old forgotten installs are often connected to other critical systems — creating a pivot point on the network.”
“Maintaining patches in a timely fashion, as well as properly decommissioning servers if they’re no longer being used is the best preventative measure that administrators and security teams can take.”