Researchers from Imperva found (1, 2) that the KashmirBlack botnet, active since the end of 2019, infected hundreds of thousands of sites powered by popular CMS, including WordPress, Joomla, PrestaShop, Magneto, Drupal, vBulletin, osCommerce, OpenCart and Yeager.
As a rule, a botnet uses the servers of infected resources to mine cryptocurrency, redirects legitimate traffic to spam sites, uses hacked sites to attack other resources and maintain its activity, and sometimes even arranges defaces.
Experts write that KashmirBlack was originally a small botnet, but over the past months it has grown to become a threat capable of attacking thousands of sites a day. The most radical changes in malware operation occurred in May 2020, when the botnet expanded its control infrastructure and its arsenal of exploits. Thus, the researchers write that KashmirBlack is currently operated by one C&C server, but uses more than 60 servers (mostly compromised resources) in its infrastructure.
"KashmirBlack interacts with hundreds of bots, each of which communicates with the C&C server to get a list of new targets, brute force attacks, install backdoors and work on expanding the botnet," the company said in a report.
The main distribution method for KashmirBlack is to scan the Internet in search of sites that are running outdated software. The malware then uses exploits for various known vulnerabilities to hack the vulnerable site and take over its server. According to Imperva, the botnet actively abuses 16 vulnerabilities:
Imperva researchers note that, in their opinion, this botnet is the work of a hacker known under the pseudonym Exect1337, who is part of the Indonesian hacker group PhantomGhost.