It is believed that a highly sophisticated botnet has infected hundreds of thousands of websites by attacking their content management system (CMS) platforms.
Baptized KashmirBlack, the botnet started operating in November 2019.
Imperva security researchers – who analyzed the botnet last week in a series of two posts – said the botnet’s primary purpose appears to be to infect websites and then use their servers for mining. of cryptocurrency, redirect legitimate site traffic to spam pages, and to a lesser extent, allow website disfigurement.
According to Imperva, the botnet started out on a small scale, but after months of steady growth, has evolved into a sophisticated juggernaut capable of attacking thousands of sites per day.
The most significant changes took place in May 2020 when the network increased its control infrastructure (C&C), but also its infection tools.
Today, KashmirBlack is “managed by a single C&C (Command and Control) server and uses more than 60 servers – mostly compromised devices – as part of its infrastructure,” Imperva said.
“The botnet manages hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors and expand the size of the botnet.”
KashmirBlack thrives by searching the internet for sites using outdated CMSs, then using exploits for known vulnerabilities to infect the site and its server.
Some of the hacked servers are then used for spamming or cryptomining, but also to attack other sites and keep the botnet alive.
Since November 2019, Imperva says it has observed the exploitation of 16 vulnerabilities by the botnet:
The exploits listed above allowed KashmirBlack operators to attack sites using CMS platforms like WordPress, Joomla, PrestaShop, Magneto, Drupal, vBulletin, osCommerce, OpenCart and Yeager.
Some exploits attacked the CMS itself, while others attacked some of its internal components and libraries.
“In our research, we’ve seen it evolve from a mid-volume botnet with basic capabilities to a massive infrastructure that’s here to stay,” Imperva researchers said on Friday.
Based on the multiple clues they found, Imperva researchers said they believed the botnet was the work of a hacker under the pseudonym Exect1337, member of a team of Indonesian hackers PhantomGhost.