Indonesia-based botnet network KashmirBlack attacks popular content management systems (CMS) such as WordPress, Drupal, Joomla among others. The botnet network intends to attack CMS platforms and use their servers for cryptocurrency mining or sending spams to victims.
Member of PhantomGhost Hacker Group Behind The Botnet
U.S.-based cybersecurity firm Imperva uncovered the highly sophisticated botnet. The botnet network is run by the hacker “Exect1337,” a member of the Indonesian hacker crew PhantomGhost. Researchers were able to link the botnet to the particular Indonesian hacking group by tracing IP addresses used during a website defacement campaign earlier this year.
Ofir Shaty, Imperva security researcher and research co-author share his views saying:
“This is the first time we have been able to get visibility into how exactly a botnet like this operates; an important discovery that will help the industry better understand how these nefarious groups evolve and sustain their activity.”
According to the report, KashmirBlack started operating last year in November 2019 and has attacked thousands of websites including WordPress, Joomla, PrestaShop, Magento, Drupal, vBulletin, OsCommerce, OpenCart, and Yeager.
Researchers at Imperva says that it is also supported by 60 other compromised content management servers as part of its malicious infrastructure.
KashmirBlack Botnet Infected Around 700 CMS Platforms Everyday
The security researchers at Imperva have estimated that KashmirBlack has infected around 700 vulnerable content management system servers each day. This implies that the botnet alone has compromised around 230,000 servers yet.
Attackers of KashmirBlack use cloud services from platforms such as GitHub, Dropbox, and Pastebin to hide from security tools while sending out additional spams to the infected servers.
Moreover, KashmirBlack botnet is controlled by a single command-and-control server. In March, the botnet network added a crypto mining function, using XMRig malware to mine for Monero cryptocurrency. Security researchers at Imperva were able to uncover this by tracing this activity to a digital wallet.