An active botnet comprising hundreds of thousands of hijacked systems spread across 30 countries is exploiting “dozens of known vulnerabilities” to target widely-used content management systems (CMS).
The “KashmirBlack” campaign, which is believed to have started around November 2019, aims for popular CMS platforms such as WordPress, Joomla!, PrestaShop, Magneto, Drupal, Vbulletin, OsCommerence, OpenCart, and Yeager.
“Its well-designed infrastructure makes it easy to expand and add new exploits or payloads without much effort, and it uses sophisticated methods to camouflage itself, stay undetected, and protect its operation,” Imperva researchers said in a two-part analysis.
The cybersecurity firm’s six-month-long investigation into the botnet reveals a complex operation managed by one command-and-control (C2) server and more than 60 surrogate servers that communicate with the bots to send new targets, allowing it to expand the size of the botnet via brute force attacks and installation of backdoors.
The primary purpose of KashmirBlack is to abuse resources of compromised systems for Monero cryptocurrency mining and redirect a website’s legitimate traffic to spam pages. But it has also been leveraged to carry out defacement attacks.
Regardless of the motive, the exploitation attempts begin with making use of PHPUnit RCE vulnerability (CVE-2017-9841) to infect customers with next-stage malicious payloads that communicate with the C2 server.
Based on the attack signature it found during once such defacements, Imperva researchers said they believed the botnet was the work of a hacker named Exect1337, a member of the Indonesian hacker crew PhantomGhost.
KashmirBlack’s infrastructure is complex and comprises a number of moving parts, including two separate repositories — one to host exploits and payloads, and the other to store the malicious script for communication with the C2 server.
The bots themselves are either designated as a ‘spreading bot,’ a victim server that communicates with the C2 to receive commands to infect new victims, or a ‘pending bot,’ a newly compromised victim whose purpose in the botnet is yet to be defined.
While CVE-2017-9841 is used to turn a victim into a spreading bot, successful exploitation of 15 different flaws in CMS systems leads to a victim site becoming a new pending bot in the botnet. A separate WebDAV file upload vulnerability has been employed by the KashmirBlack operators to result in defacement.
But just as the botnet grew in size and more bots began fetching payloads from the repositories, the infrastructure was tweaked to make it more scalable by adding a load balancer entity that returns the address of one of the redundant repositories that were newly setup.
The latest evolution of KashmirBlack is perhaps the most insidious one. Last month, the researchers found the botnet using Dropbox as a replacement for its C2 infrastructure, abusing the cloud storage service’s API to fetch attack instructions and upload attack reports from the spreading bots.
“Moving to Dropbox allows the botnet to hide illegitimate criminal activity behind legitimate web services,” Imperva said. “It is yet another step towards camouflaging the botnet traffic, securing the C&C operation and, most importantly, making it difficult to trace the botnet back to the hacker behind the operation.”