Hundreds of websites running on the Drupal content management system – including those of the San Diego Zoo as well as the National Labor Relations Board – were targeted by a malicious cryptojackingcryptomining campaign taking advantage of unpatched and recently revealed vulnerabilities.

The attacks, which have impacted 400+ government and university websites leverage the critical remote-code execution vulnerability (CVE-2018-7600) called Drupalgeddon 2.0, said Troy Mursch, researcher with Bad Packets Report. The Drupal bug in question has been patched for over a month.

“After the scan completed, the full scope of this cryptojacking campaign was established,” Troy Mursch wrote in a report posted Saturday. “Using the bulk scan feature of, it became clear that these were all sites were running outdated and vulnerable versions of Drupal content management system.”

As of Tuesday Mr. Mursch said he has found more sites that were targeted by the attack, including that of Lenovo, UCLA, and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (a US federal government agency).

The cryptominer in question was made by Coinhive, a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content. Coinhive’s JavaScript miner software is often used by hackers, who secretly embed the code into sites and then mine Monero currency by tapping the CPU processing power of site visitors’ phones, tablets and computers.

“Digging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method,” Mursch wrote. “The malicious code was contained in the ‘/misc/jquery.once.js?v=1.2’ JavaScript library.”

Troy Mursch said he was notified by one of his Twitter followers soon after of additional compromised sites using a different payload – however, all the infected sites pointed to the same domain using the same Coinhive site key. Coinhive’s site key is code linked to a unique cryptographic key that delegates who keeps the cryptocurrency that is being mined.

That domain used to inject the malware was vuuwd[.]com, according to Troy Mursch. “Once the code was de-obfuscated, the reference to ‘http://vuuwd[.]com/t.js’ was clearly seen. Upon visiting the URL, the ugly truth was revealed. A slightly throttled implementation of Coinhive was found.”

The site key used, meanwhile, was “KNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6.” Troy Mursch said he confirmed the key was still active by checking in Fiddler.

Mursch said that the miner was only slightly throttled so that it had a reduced impact on visitors’ CPUs and would be harder to detect.

Typically, cryptojacking attacks are not throttled and use 100% of the target’s CPU. As a result victims can sometimes experience overheating of their phone or computer as their device gets bogged down by an over-taxed processor.

When trying to nail down the owner of vuuwd[.]com, Mursch came across fake data from WHOIS indicating that “it belongs to ‘X XYZ’ who lives on ‘joker joker’ street in China,” he explained in a Tweet. However, the email address that was used ( provided a small hint as it was associated with other registered domains.

The domain name vuuwd[.]com was also used previously in Monero mining operations through mineXMR[.]com, said Mursch: “While it’s somewhat unusual they’d switch from a mining pool with a 1% fee to Coinhive, who takes a 30% cut of all mining proceeds, it was the choice they made,” he said.

Drupalgeddon 2.0, which has been patched for over a month now and impacts versions 6,7, and 8 of Drupal’s CMS platform, “potentially allows attackers to exploit several attack vectors on a Drupal site, which could result in the site being completely compromised,” according to MITRE’s Common Vulnerabilities & Exposures bulletin back on March 28.

Since Drupal warned in March that over one million sites running Drupal are impacted by the vulnerability, several exploits, botnets and cryptomining malware have cropped up – including a recent attack, leveraging the “Kitty” cryptomining malware, which cashed in on the vulnerable Drupal websites.

Beyond the Kitty malware,  researchers have found a botnet, dubbed Muhstik, that installs cryptocurrency miners and launches DDoS attacks via compromised systems.

More recently, attackers behind a ransomware attack hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.

“We’ve seen many examples of Drupalgeddon 2 being exploited in the past few weeks,” said Troy Mursch in the report. “This is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you’re a site operator using Drupal’s content management system, you need to update to the latest available version ASAP.”

Olé Crypto,

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.