Proving that some hackers have no morals whatsoever, the website of the Make-A-Wish Foundation has been “cryptojacked” to install the increasingly popular cryptomining script.

Discovered by Simon Kenin, a security researcher at Trustwave SpiderLabs, and publicized today, the hack involved unknown hackers accessing the Make-A-Wish website through a Drupal vulnerability dubbed Drupalgeddon 2.

A Drupalgeddon 2 attack takes advantage of Drupal installations that have not patched CVE-2018-7600 and CVE-2018-7602, two vulnerabilities that were first targeted by cryptomining hackers in May.

Although the attack was notable for its target, prompting The Register to ask, “Do they accept Monero in hell?” the more interesting part of the attack was the deployment of an increasingly popular form of cryptomining script.

Called CoinImp, the coin mining script first became available in December and works in a similar fashion to market leader Coinhive. Users insert javascript code on a website and visitors to the site have their computer hijacked to mine for the Monero or another cryptocurrency called webchain.network while they are visiting.

CoinImp takes a 1 percent fee on mined cryptocurrency and also offers a referral program that allows script users to sign up others to get a percentage of what their referrals mine.

“What’s interesting about this particular campaign is that it uses different techniques to avoid static detections,” Kenin wrote. “It starts with changing the domain name that hosts the JavaScript miner, which is itself obfuscated…. The WebSocket proxy also uses different domains and IPs which make blacklist solutions obsolete.”

The ability for the script to be obfuscated by traditional blacklist solutions, such as antivirus software and similar products, may result in more attacks using the script occurring.

“The CoinIMP cryptominer is growing rapidly in popularity and the combination of a well-trafficked charity site paired with the season of giving made this the perfect target for a large-scale cyberattack,” a spokesperson for Trustwave told SiliconANGLE.

Kenin noted that enterprises and other website owners should deploy endpoint protection capable of detecting cryptominers, monitor changes to their website and audit those changes to make sure they were authorized and always make sure that their website software is up-to-date with patches.

Image: CoinImp