In a security investigation conducted it was determined that a botnet known as “KashmirBlack” has infected thousands of websites since November 2019 and continues to grow actively, attacking content management systems (CMS) such as WordPress, Joomla !, Drupal and others. . The main objective of this botnet is to infect the websites and use the servers for cryptocurrency mining, redirect legitimate site traffic to spam pages and to a lesser degree, display web distortions.
According to the researchers, this botnet started out very small, but after months of constant growth, it has grown into a giant network capable of attacking thousands of sites per day. This is due to its well-designed infrastructure, which facilitates its expansion and the addition of exploits or payloads without much effort, in addition to using sophisticated methods to disguise itself and go unnoticed, protecting its operation.
The main purpose of KashmirBlack is to use the resources of compromised systems (CPU, GPU) for Monero cryptocurrency mining and redirect legitimate website traffic to spam pages. The exploitation begins by making use of the PHPUnit RCE vulnerability (CVE-2017-9841) to infect clients with the payload that will later communicate with the C2 server.
On the other hand, during the investigation period, it was possible to see that the botnet has taken advantage of 16 known vulnerabilities in addition to the one we have already seen and addressed in different systems, some of them very critical:
▸Remote code execution in PHPUnit – CVE-2017-9841.
▸JQuery File Upload Vulnerability – CVE-2018-9206.
▸Command injection in ELFinder – CVE-2019-9194.
▸Remote file upload vulnerability in Joomla!
▸Local File Inclusion vulnerability in Magento – CVE-2015-2067.
▸Magento web form loading vulnerability.
▸CMS Plupload arbitrary file upload vulnerability.
▸Vulnerability in Yeager CMS – CVE-2015-7571.
▸RFI (Remote File Inclusion) vulnerability in WordPress TimThumb – CVE-2011-4106.
▸Uploadify remote code execution vulnerability.
▸Remote Code Execution in vBulletin Widget – CVE-2019-16759.
▸Remote code execution in WordPress install.php – CVE-2011-4899.
▸Brute force attack on WordPress xmlrpc.php Login.
▸Multiple remote code execution vulnerabilities in WordPress plugins and themes.
▸File upload vulnerability in Webdav.
Also check:
Gafgyt is a botnet that uses Mirai DDoS modules
FreakOut – A Botnet targeting Linux
[…] also:KashmirBlack – A Botnet that attacks serversSimps Botnet, a threat that executes DDoS […]