KashmirBlack botnet targets WordPress, Joomla and other popular CMS platforms
Introduction
If you are a malware researcher, you’ve probably heard of KashmirBlack, a botnet that has been in the wild since 2019. If you are not a malware researcher, you may not have heard of it — and this needs to change (especially if you are invested in cryptocurrency and the mining thereof).
This article will detail the KashmirBlack botnet. We will explore what it is, how it works and what you can do to remediate or mitigate it. While this may be a new one to you, you will certainly remember it by the end of this article.
What is KashmirBlack?
KashmirBlack is a botnet that has been exploiting dozens of vulnerabilities within widely used content management systems (CMS) to compromise hundreds of thousands of systems across 30 countries. Researchers estimate that KashmirBlack infects somewhere around 700 systems per day.
Part of the secret sauce to this fast-spreading botnet is that it targets sites hosted on popular CMS systems. The popularity of these CMS entities, such as WordPress, Joomla, Magento and PrestaShop, makes the job of the KashmirBlack operators easier because it means the potential to reach multiple victims within a short amount of time. The proof is in the numbers, as KashmirBlack launches millions of attacks daily — which is another reason for its fast spread capability.
KashmirBlack is believed to be the product of a hacker named Exect1337, part of a hacker gang named PhantomGhost, out of Indonesia. This group is known for defacement and is considered to be an active hacker crew engaging in cybercrime.
How does KashmirBlack work?
KashmirBlack is an interesting botnet: it has some unique characteristics that set it apart from others, with the purpose of either abusing compromised systems’ resources to mine the Monero cryptocurrency and redirecting legitimate website traffic over to spam sites. It has a well-designed infrastructure which makes expanding the botnet easy by adding new exploits and payloads, which will be explored below.
Unlike the organization of other botnets, KashmirBlack has a more complex organization where there are 60 servers, known as compromised content management servers, that are controlled by its command-and-control (C2) server. Controlling these 60 servers allows the C2 server to control hundreds of bots simultaneously to send new targets and to expand the size of its botnet through the use of back doors and brute-force attacks.
KashmirBlack exploitation normally begins with taking advantage of CVE-2017-9841, or the PHPUnit RCE vulnerability, to infect victims with next-stage malicious payloads. These payloads then communicate with the C2 server for further instruction.
The infrastructure of this botnet is modular, consisting of separate components. Instead of relying upon one repository of data to communicate with the C2 server, KashmirBlack relies on two — one repository is dedicated to malicious scripts used in communication with the C2 and the second repository dedicated to hosting exploits and payloads.
Another interesting aspect about this botnet is that it uses two categories of bots. The first type of bot, known as a spreading bot, is a compromised victim server that receives commands from the C2 server instructing the spreading bot to infect new-found victims. The other bot type, a pending bot, is a bot whose purpose in the botnet has not yet been defined. It’s sort of like a new recruit without a specific focus but waiting for their first assignment.
KashmirBlack has made some changes recently that will make this botnet even more effective. For starters, the fact that KashmirBlack grows so rapidly introduced an issue to its creators — that of scalability. There is no use getting so big without a way to control the monster you have created. In response, a load balancer was added to help with this by returning the address of one of KashmirBlack’s redundant servers.
This next change is both the biggest and has been described as the most insidious. KashmirBlack has scrapped the use of the C2 infrastructure altogether and has replaced it with Dropbox. It abuses the cloud-based service’s API to receive instructions for attack, as well as upload attack reports coming from the so-called spreading bots.
This move to a cloud web service helps to hide KashmirBlack’s traffic by making it more difficult to trace and helps to secure the operations of the C2 behind with the use of the cloud services in-built security. It is analogous to conducting criminal activity in a rent-a-space business that has the protection of a high fence and security guards.
How to remediate and mitigate KashmirBlack
The good thing is you can actively remediate and mitigate KashmirBlack. Here are some suggestions that you should use toward this end.
If you are infected with KashmirBlack:
- Kill malicious processes you find
- Remove malicious files
- Remove cron jobs that are suspicious or unfamiliar
- Remove plugins and themes that you do not use or need
Suggestions for mitigation if you only suspect KashmirBlack infection:
- Update core files of the CMS and third-party modules and ensure that they are properly configured
- Deny unauthorized access to paths such as install.php, eval-stdin.php and wp-config.php, as well as sensitive files
- Use strict password policies and integrate two factor authentication (2FA) if possible
Conclusion
KashmirBlack is a botnet that targets sites on popular CMS platforms with the purpose of crypto mining (Monero specifically) and sending spam to potential future victims. It has a unique infrastructure that includes two data repositories and 60 compromised content servers which the C2 uses to wage a fast-growing botnet operation.
Those involved with cryptocurrency will do well in keeping the above recommendations for mitigation at hand, but something tells me they already have, given their bleeding-edge approach to things.
Sources
KashmirBlack Botnet Hijacks Thousands of Sites Running on Popular CMS Platforms, The Hacker News
KashmirBlack, a new botnet in the threat landscape that rapidly grows, Security Affairs
In this Series
- KashmirBlack botnet targets WordPress, Joomla and other popular CMS platforms
- Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
- Dependency confusion: Compromising the supply chain
- BendyBear: A shellcode attack used for cyberespionage
- ATP group MontysThree uses MT3 toolset in industrial cyberespionage
- BlackBerry exposes threat actor group BAHAMUT: Cyberespionage, phishing and other APTs
- Top 9 cybercrime tactics, techniques and trends in 2020: A recap
- BAHAMUT: Uncovering a massive hack-for-hire cyberespionage group
- Linux security and APTs: Identifying threats and reducing risk
- Top 6 ransomware strains to watch out for in 2020
- 2020 Verizon data breach investigations report: Summary and key findings for security professionals
- How hackers use CAPTCHA to evade automated detection
- The State of Ransomware 2020: Key findings from Sophos & Malwarebytes
- Dark web fraud: How-to guides make cybercrime too easy
- Top 6 malware strains to watch out for in 2020
- Top Cybersecurity Predictions for 2020
- Malware spotlight: What is click fraud?
- What does dark web monitoring really do?
- ThreatMetrix Cybercrime Report: An interview
- Are dark web monitoring services worth it?
- Cybercrime and the underground market [Updated 2019]
- Verizon DBIR 2019 analysis
- Common causes of large breaches (Q1 2019)
- The Magecart Cybercrime Group Is Threatening E-Commerce Websites Worldwide
- Russian Cyberspies Target 2018 U.S. Midterm Elections
- The Increasing Threat of Banking Trojans and Cryptojacking
- Leaders’ Meetings: A Privileged Target for Hackers
- Fraud as a Service (FaaS): Everything You Need to Know
- All about SamSam Ransomware
- The Decline of Ransomware and the Rise of Cryptocurrency Mining Malware
- Mechanics Behind Ransomware-as-a-Service
- The Art of Fileless Malware
- ZLAB MALWARE ANALYSIS REPORT: RANSOMWARE-AS-A-SERVICE PLATFORMS
- Which Are the Most Exploited Flaws by Cybercriminal Organizations?
- 5 New Threats Every Organization Should be Prepared for in 2018
- Memcrashed: The Dangerous Trend Behind the Biggest DDoS Attack Ever
- Open source threat intelligence tools & techniques
- Global Cost of Cybercrime on the Rise
- An Enterprise Guide to Using Threat Intelligence for Cyber Defense
- The Five Largest Ransomware Attacks of 2017
- Intellectual Property Crimes in the Dark Web
- Top 5 Smartest Malware Programs
- Is Russian Intelligence Using Tainted Software to Access Corporate and Government Networks?
- Vault 7 Leaks: Inside the CIA's Secret Kingdom (July-August 07)
- DragonFly 2.0: The Alleged Nation-State Actor Hits the Energy Sector Again
- Russian APT Groups Continue Their Stealthy Operations
- Massive Petya Attack: Cybercrime or Information Warfare?
- SAP SECURITY FOR CISO: SAP Attacks and Incidents
- Role of Threat Intelligence in Business World
- WikiLeaks Vault 7 Data Leak: Another Earthquake in the Intelligence Community
- Past and Present Iran-linked Cyber-Espionage Operations
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Threat Intelligence
Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
Threat Intelligence
Threat Intelligence
Threat Intelligence
ATP group MontysThree uses MT3 toolset in industrial cyberespionage