Hackers continue to exploit a popular remote code execution (RCE) vulnerability (aka Drupalgeddon2) in Drupal content management system (CMS) that was patched more than year and a half ago. A new campaign was uncovered by Akamai’s lead researcher Larry Cashdollar and, according to the expert, the attackers target a broad range of high profile websites using malicious .GIF files to deliver malware.
Drupalgeddon2 tracked as CVE-2018-7600 stems from insufficient input validation on the Drupal 7 Form API. It affects all Drupal versions 7.x before 7.58, 8.3.x versions before 8.3.9, 8.4.x versions before 8.4.6, and 8.5.x before 8.5.1. First discovered in March 2018 the vulnerability can be triggered remotely on default and common Drupal installations, potentially leading to RCE, data theft, and website hijacking. The flaw was fixed by the Drupal team in the same month. At the time of discovery, it was estimated that more than one million websites were vulnerable and, although the patch was issued over a year ago, it seems that many websites’ owners failed to apply the fix putting their sites in danger.
The new campaign recently observed by Cashdollar exploits the vulnerability through a .GIF file that contains a malicious code.
“I observed an attack that is designed to run code that is embedded inside a .gif file. While embedding code in image file isn’t a new attack method, I haven’t seen this method in quite some time,” the researcher said.
So far the campaign doesn’t appear widespread and currently is directed against “a random assortment of high profile websites”.
Drupalgeddon2's image file, index.inc.gif, is being hosted on a Brazilian bodysurfing website which appears to have been hijacked. The image file contains obfuscated PHP code and malware packages which are base64 encoded.
“The commands clean up any previous installations and then replace any .htaccess configurations with versions that have less restrictive settings. Then two different files are downloaded and then executed. The first, index.inc.gif, contains obfuscated PHP code. It contains a GIF header, but the rest of the file is PHP code obscured using gzip compression, rot13, and base64 encoding. The Linux command file identifies it as a gif image,” according to the analysis.
The deployed malware supports several functions, such as scanning local files for credentials, sending email with the discovered credentials, replacing the local .htaccess file, displaying MySQL my.cnf configuration files, executing a remote file that is gz compressed and base64 encoded, showing system information, renaming files, uploading files, and launching a web shell.
The second malicious module found in the image file is a Perl script stored in mild.txt. The code isn't obfuscated, and like many other pieces of malware, uses Internet Relay Chat (IRC) to communicate with a command and control server. The malware has several capabilities, such as denial-of-service (DoS) and Remote Access Trojan (RAT) functionality.
“Critical vulnerabilities will be targeted, even if their public disclosure date is over a year old. When the vulnerability's exploitation is simple, which is the case with Drupalgeddon2, attackers will automate the process of scanning, exploitation, and infection when there are poorly maintained and forgotten systems. This creates a problem for enterprise operations and web administrators, as these old forgotten installs are often connected to other critical systems -- creating a pivot point on the network,” the researcher warned.