KashmirBlack botnet has been active since November 2019 and is linked to an Indonesian hacker group known as PhantomGhost. Earlier the botnet's primary purpose was to infect websites and use their servers for cryptocurrency mining, redirecting legitimate traffic to spam pages and defacing websites. But in May of 2020 KashmirBlack underwent a couple of changes. The botnet now handles hundreds of bots, each communicating with the C2 server, performing brute force attacks, installing backdoors, and continuously expanding the size of the botnet.
KashmirBlack hunts for sites that use outdated software and then uses the exploits for known vulnerabilities, to compromise the site and its underlying server. Currently, botnet is targeting content management system (CMS) platforms.
The botnet infects machines by exploiting a PHPUnit remote code execution vulnerability (CVE-2017-9841) in CMS platforms. Network of the botnet is spread across 30 countries, controlled by a single C2 server, with over 60 surrogate servers. The botnet utilizes several vulnerabilities to hide itself in compromised machines and maintain its operations. In addition to this, the botnet uses software development frameworks like DevOps and Agile to add new devices in it. Most businesses are affected because of the recent spike in the number of users leveraging CMS platforms to support remote work.
|Content Management System (CMS)
- Botnet can be used to perform distributed denial of service (DDoS) attacks.
- Account credentials can be leaked leading to account takeovers.
- Provides the attacker access to a device and its connection to a network.
Spam bot - malicious and compromised files
- Files with prefix ‘original1.’
Known KashmirBlack IPs
- Make sure CMS core files and modules are updated.
- Use strong passwords.
- Deploy web application firewall (WAF).
- Access should be denied or limited for sensitive files and paths such as wp-config.php, install.php, and eval-stdin.php.
- Keep your system updated and use antivirus software.