26 October 2020

KashmirBlack botnet targets popular CMS platforms to mine cryptocurrency, spread spam


KashmirBlack botnet targets popular CMS platforms to mine cryptocurrency, spread spam

A highly sophisticated global botnet operation has been uncovered that performed a million attacks per day, including cryptocurrency mining, spamming and defacements. Dubbed “KashmirBlack,” the botnet is believed to have infected thousands of websites running popular CMS platforms like WordPress, Joomla, Drupal, and others.

According to a two-part report from security researchers at Imperva, who discovered and dissected the botnet, KashmirBlack has been in operation since November 2019. It utilizes exploits for dozens of known vulnerabilities, including jQuery file upload vulnerability (CVE-2018-9206), vBulletin Widget RCE (CVE-2019-16759), and many more that allow the KashmirBlack operators to attack sites running CMS platforms, such as WordPress, Joomla!, PrestaShop, Magneto, Drupal, vBulletin, osCommerce, OpenCart, and Yeager.

“It [the bontnet] has a complex operation managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet,” the researchers said.

The botnet operators are also using cloud-based services such as GitHub, Pastebin and Dropbox to conceal their operation and control the botnet. The botnet uses two clusters of infected systems as repositories for code and exploits, and divides compromised systems into two groups - one is actively searching for new bots and the second is waiting for instructions.

Based on some clues left by the botnet operators, the researcher believe that the owner of KashmirBlack may be a hacker named Exect1337, a member of the Indonesian hacker crew PhantomGhost.

More detailed technical analysis of the KashmirBlack operations, as well as Indicators of Compromise (IoCs) is available here and here.

Back to the list

Latest Posts

Two Romanians arrested for running malware services

Two Romanians arrested for running malware services

The duo allegedly operated the CyberSeal and Dataprotector crypting services, as well as the CyberScan service, which allowed their customers to test their malware against antivirus solutions.
23 November 2020
Manchester United discloses a ‘sophisticated’ cyber attack

Manchester United discloses a ‘sophisticated’ cyber attack

United officials said that are not aware of any breach of personal data associated with club's fans and customers.
23 November 2020
Hacker shares a list of nearly 50,000 vulnerable Fortinet VPN devices

Hacker shares a list of nearly 50,000 vulnerable Fortinet VPN devices

The list of vulnerable targets includes domains belonging to large enterprises, financial institutions, and government organizations from all over the world.
23 November 2020