KashmirBlack, a new botnet in the threat landscape that rapidly grows

Security experts spotted a new botnet, tracked as KashmirBlack botnet, that likely infected hundreds of thousands of websites since November 2019.

Security experts from Imperva have spotted a new sophisticated botnet, tracked as KashmirBlack is believed to have already infected hundreds of thousands of websites by exploiting vulnerabilities in their content management system (CMS) platforms.

The KashmirBlack botnet has been active at least since November 2019, operators leverages dozens of known vulnerabilities in the target servers.

Experts believe that the botmaster of the KashmirBlack botnet is a hacker that goes online with moniker “Exect1337,” who is a member of the Indonesian hacker crew ‘PhantomGhost’.

The experts observed millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world.

“It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.” reads the first part of two reports published by the experts detailing the DevOps implementation behind the botnet.

The primary purpose of the KashmirBlack botnet is to abuse resources of compromised systems for cryptocurrency mining and redirecting a site’s legitimate traffic to spam pages.

Experts observed a continuous growth of the botnet since its discovery along with an increasing level of complexity.

In May experts observed an increase in the command-and-control (C&C) infrastructure and the exploits used by botnet operators.

KashmirBlack scans the internet for sites using vulnerable CMS versions and attempting to exploit known vulnerabilities to them and take over the underlying server.

Below a list of vulnerabilities exploited by the botnet operators to compromise websites running multiple CMS platforms, including WordPress, Joomla!, PrestaShop, Magneto, Drupal, vBulletin, osCommerce, OpenCart, and Yeager:

• PHPUnit Remote Code Execution – CVE-2017-9841
• jQuery file upload vulnerability – CVE-2018-9206
• ELFinder Command Injection – CVE-2019-9194
• Joomla! remote file upload vulnerability
• Magento Local File Inclusion – CVE-2015-2067
• Magento Webforms Upload Vulnerability
• CMS Plupload Arbitrary File Upload
• Yeager CMS vulnerability – CVE-2015-7571
• Multiple vulnerabilities including File Upload & RCE for many plugins in multiple platforms here
• WordPress TimThumb RFI Vulnerability – CVE-2011-4106
• Uploadify RCE vulnerability
• vBulletin Widget RCE – CVE-2019-16759
• WordPress install.php RCE
• WordPress xmlrpc.php Login Brute-Force attack
• WordPress multiple Plugins RCE (see full list here)
• WordPress multiple Themes RCE (see full list here)
• Webdav file upload vulnerability

“During our research we witnessed its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay,” Imperva concludes.

The second part of the report also includes Indicators of Compromise (IoCs) for this botnet.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, KashmirBlack botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]