For the past few months, multiple reports regarding a ransomware primarily affecting the popular CMS, Drupal have been emerging. The ransomware itself has no official name however is currently being dubbed as Rex. In May 2016, it was reported that 400 Drupal installations were affected, and this seems to be rising. Recent research has found that Rex, is able to infect WordPress and other CMS systems too.
How does Rex work?
The path Rex takes to infect Drupal applications is quite traditional and straightforward in that it leverages a known SQL Injection vulnerability (CVE-2014-3704) affecting all versions of Drupal 7 prior to 7.32 (patched version).
As a start, the malware runs an internet-wide scan for Drupal web applications looking for files (such as CHANGELOG.txt) to evaluate the version of Drupal that the web application is currently running on.
If the website is running a vulnerable version of Drupal, the malware infects the website, compromises the admin’s login credentials and finally defaces the application (including locking of blog posts) and leaves a ransomware note along the lines of:
Website is locked. Please transfer 1.4 BitCoin to address XXXXXXXX to unlock content.
The Rex malware is able to communicate with its C&C server via P2P, indicating that the owner of the malware has intentions to update the malware in the future. Rex will also send an email to all the addresses harvested from the web site threatening to DDOS their site if the ransom is not paid. It seems that the DDOS threat is a fake, but various web site admins prefer to pay the ransom rather than take the risk.
Detection & Remediation
Patching against this vulnerability is as simple as making sure that you are running the latest version of Drupal (or at least version 7.32) and this applies to all your web applications or web services. Acunetix is able to detect Drupal installations that are vulnerable, and thus susceptible to infection by Rex. The vulnerability will be reported as “Drupal core 7.x SQL injection vulnerability” as can be seen below.