A highly sophisticated global botnet operation has been uncovered that performed a million attacks per day, including cryptocurrency mining, spamming and defacements. Dubbed “KashmirBlack,” the botnet is believed to have infected thousands of websites running popular CMS platforms like WordPress, Joomla, Drupal, and others.
According to a two-part report from security researchers at Imperva, who discovered and dissected the botnet, KashmirBlack has been in operation since November 2019. It utilizes exploits for dozens of known vulnerabilities, including jQuery file upload vulnerability (CVE-2018-9206), vBulletin Widget RCE (CVE-2019-16759), and many more that allow the KashmirBlack operators to attack sites running CMS platforms, such as WordPress, Joomla!, PrestaShop, Magneto, Drupal, vBulletin, osCommerce, OpenCart, and Yeager.
“It [the bontnet] has a complex operation managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet,” the researchers said.
The botnet operators are also using cloud-based services such as GitHub, Pastebin and Dropbox to conceal their operation and control the botnet. The botnet uses two clusters of infected systems as repositories for code and exploits, and divides compromised systems into two groups - one is actively searching for new bots and the second is waiting for instructions.
Based on some clues left by the botnet operators, the researcher believe that the owner of KashmirBlack may be a hacker named Exect1337, a member of the Indonesian hacker crew PhantomGhost.
More detailed technical analysis of the KashmirBlack operations, as well as Indicators of Compromise (IoCs) is available here and here.