KashmirBlack botnet targets WordPress, Joomla and other popular CMS platforms
If you are a malware researcher, you’ve probably heard of KashmirBlack, a botnet that has been in the wild since 2019. If you are not a malware researcher, you may not have heard of it — and this needs to change (especially if you are invested in cryptocurrency and the mining thereof).
This article will detail the KashmirBlack botnet. We will explore what it is, how it works and what you can do to remediate or mitigate it. While this may be a new one to you, you will certainly remember it by the end of this article.
What is KashmirBlack?
KashmirBlack is a botnet that has been exploiting dozens of vulnerabilities within widely used content management systems (CMS) to compromise hundreds of thousands of systems across 30 countries. Researchers estimate that KashmirBlack infects somewhere around 700 systems per day.
Part of the secret sauce to this fast-spreading botnet is that it targets sites hosted on popular CMS systems. The popularity of these CMS entities, such as WordPress, Joomla, Magento and PrestaShop, makes the job of the KashmirBlack operators easier because it means the potential to reach multiple victims within a short amount of time. The proof is in the numbers, as KashmirBlack launches millions of attacks daily — which is another reason for its fast spread capability.
KashmirBlack is believed to be the product of a hacker named Exect1337, part of a hacker gang named PhantomGhost, out of Indonesia. This group is known for defacement and is considered to be an active hacker crew engaging in cybercrime.
How does KashmirBlack work?
KashmirBlack is an interesting botnet: it has some unique characteristics that set it apart from others, with the purpose of either abusing compromised systems’ resources to mine the Monero cryptocurrency and redirecting legitimate website traffic over to spam sites. It has a well-designed infrastructure which makes expanding the botnet easy by adding new exploits and payloads, which will be explored below.
Unlike the organization of other botnets, KashmirBlack has a more complex organization where there are 60 servers, known as compromised content management servers, that are controlled by its command-and-control (C2) server. Controlling these 60 servers allows the C2 server to control hundreds of bots simultaneously to send new targets and to expand the size of its botnet through the use of back doors and brute-force attacks.
KashmirBlack exploitation normally begins with taking advantage of CVE-2017-9841, or the PHPUnit RCE vulnerability, to infect victims with next-stage malicious payloads. These payloads then communicate with the C2 server for further instruction.
The infrastructure of this botnet is modular, consisting of separate components. Instead of relying upon one repository of data to communicate with the C2 server, KashmirBlack relies on two — one repository is dedicated to malicious scripts used in communication with the C2 and the second repository dedicated to hosting exploits and payloads.
Another interesting aspect about this botnet is that it uses two categories of bots. The first type of bot, known as a spreading bot, is a compromised victim server that receives commands from the C2 server instructing the spreading bot to infect new-found victims. The other bot type, a pending bot, is a bot whose purpose in the botnet has not yet been defined. It’s sort of like a new recruit without a specific focus but waiting for their first assignment.
KashmirBlack has made some changes recently that will make this botnet even more effective. For starters, the fact that KashmirBlack grows so rapidly introduced an issue to its creators — that of scalability. There is no use getting so big without a way to control the monster you have created. In response, a load balancer was added to help with this by returning the address of one of KashmirBlack’s redundant servers.
This next change is both the biggest and has been described as the most insidious. KashmirBlack has scrapped the use of the C2 infrastructure altogether and has replaced it with Dropbox. It abuses the cloud-based service’s API to receive instructions for attack, as well as upload attack reports coming from the so-called spreading bots.
This move to a cloud web service helps to hide KashmirBlack’s traffic by making it more difficult to trace and helps to secure the operations of the C2 behind with the use of the cloud services in-built security. It is analogous to conducting criminal activity in a rent-a-space business that has the protection of a high fence and security guards.
How to remediate and mitigate KashmirBlack
The good thing is you can actively remediate and mitigate KashmirBlack. Here are some suggestions that you should use toward this end.
If you are infected with KashmirBlack:
- Kill malicious processes you find
- Remove malicious files
- Remove cron jobs that are suspicious or unfamiliar
- Remove plugins and themes that you do not use or need
Suggestions for mitigation if you only suspect KashmirBlack infection:
- Update core files of the CMS and third-party modules and ensure that they are properly configured
- Deny unauthorized access to paths such as install.php, eval-stdin.php and wp-config.php, as well as sensitive files
- Use strict password policies and integrate two factor authentication (2FA) if possible
KashmirBlack is a botnet that targets sites on popular CMS platforms with the purpose of crypto mining (Monero specifically) and sending spam to potential future victims. It has a unique infrastructure that includes two data repositories and 60 compromised content servers which the C2 uses to wage a fast-growing botnet operation.
Those involved with cryptocurrency will do well in keeping the above recommendations for mitigation at hand, but something tells me they already have, given their bleeding-edge approach to things.
KashmirBlack, a new botnet in the threat landscape that rapidly grows, Security Affairs