Make-A-Wish Website Was Infected with Cryptocurrency Mining Malware

[cageymaru]

The Make-A-Wish website was recently infected with a cryptocurrency mining malware called CoinImp which was hosted by "drupalupdates.tk." Cybercriminals obfuscate malware with various methods that make blacklist solutions obsolete. Trustwave says the injected script was removed. Trustwave SWG recommends using dynamic web analysis to detect threats as these techniques are futile against it and for website owners to keep their Drupal version updated. The article list other methods of mitigation.

A quick investigation showed that the domain "drupalupdates.tk" that was used to host the mining script is part of a known campaign which has been exploiting Drupalgeddon 2 in the wild since May 2018. What's interesting about this particular campaign is that it uses different techniques to avoid static detections: It starts with changing the domain name that hosts the JavaScript miner, which is itself obfuscated (Fig 4). The WebSocket proxy also uses different domains and IPs which make blacklist solutions obsolete. We made attempts to contact the Make-A-Wish organization, and while they didn't respond to us, we're happy to note that the injected script was removed from their site shortly after our outreach attempt.

 

[katanaD]

its a bummer that this has happened to such a site, but i also get the feeling that it was handled out to someones kid who is a "web developer"