Drupalgeddon2 is a “highly critical” vulnerability that affects Drupal 7 and 8 core, it could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.
The Drupal development team has fixed the vulnerability in March 2018, but hackers continue to target Drupalgeddon2 in the wild.
The campaign recently discovered by Cashdollar sees the attackers attempting to run malicious code embedded in a .gif file.
The expert explained that the campaign is currently not widespread, it is targeting a broad range of high profile websites.
“I observed an attack that is designed to run code that is embedded
“The attack traffic doesn’t appear to be widespread at this time, nor does it appear to be specifically targeting a single industry vertical. Currently, the attack traffic seems to be directed towards a random assortment of high profile websites. The code I will be examining is embedded in the file index.inc.gif, which appears to be hosted on a compromised bodysurfing website located in Brazil.”
One of .gif files analyzed by the experts was hosted on a compromised
“The commands clean up any previous installations and then replace any
The malware supports several functions, such as scanning local files for credentials, sending email with the discovered credentials, replacing the local
The campaign also delivers a piece of malware stored in a .txt containing a Perl script that leverages Internet Relay Chat (IRC) for command and control (C&C) communication. The malware implements common RAT features and is also able to launch distributed denial-of-service (DDoS) attacks.
The malware also implements functionalities
“Critical vulnerabilities will be targeted, even if their public disclosure date is over a year old. When the
“Maintaining patches in a timely fashion, as well as properly decommissioning servers if they’re no longer being used is the best preventative measure that administrators and security teams can take.”
(SecurityAffairs – Drupalgeddon2, hacking)