Researchers Say Botnet Mines for Cryptocurrency and Sends Spam
How the KashmirBlack botnet works (Source: Imperva)
Security researchers at Imperva have uncovered a botnet that attacks vulnerabilities in websites’ underlying content management systems and then uses these compromised servers to mine for cryptocurrency or send spam to more victims.
The botnet, which the researchers dubbed KashmirBlack, started operating in November 2019 and has since infected thousands of websites – including WordPress, Joomla, PrestaShop, Magento, Drupal, vBulletin, OsCommerce, OpenCart and Yeager – by attacking vulnerabilities in content management systems, Imperva reports.
The researchers estimate that KashmirBlack infects about 700 vulnerable content management system servers each day, which could mean the botnet is responsible for 230,000 compromised servers.
“It utilizes dozens of known vulnerabilities on its victims’ servers, performing millions of attacks per day on average on thousands of victims in more than 30 different countries around the world,” according to the Imperva researchers, who note that most of the targeted and compromised servers are within the U.S.
The botnet is controlled by a single command-and-control server, but it’s also supported by 60 other compromised content management servers as part of its malicious infrastructure, Imperva says.
“It handles hundreds of bots, each communicating with the [command-and-control server] to receive new targets, perform brute force attacks, install backdoors and expand the size of the botnet,” researchers say.
The KashmirBlack botnet appears to have originated in Indonesia and is controlled by a hacking group that the Imperva researchers call “PhantomGhost.” The report notes that the researchers were able to link the botnet to this hacking group by tracing IP addresses used during a website defacement campaign earlier this year.
The Imperva researchers also found that the operators behind KashmirBlack use cloud services such as GitHub, Dropbox and Pastebin to hide the infrastructure from security tools as well as to send additional commands to infected servers.
Microsoft has noted threats actors are increasingly using the cloud services (see: Microsoft Shutters Azure Apps Used by China-Linked Hackers).
How KashmirBlack Works
The Imperva researchers found that the operators of the KashmirBlack botnet exploit more than a dozen common vulnerabilities in websites’ content management systems and then use those compromised servers to help build and maintain the botnet’s infrastructure.
The botnet’s infrastructure is modular and contains separate components. For instance, KashmirBlack’s infrastructure uses what the researchers call “Repository A” to help store malicious scripts to communicate with the command-and-control server. It uses “Repository B” to store the bundles of exploits and payloads to target and infect other vulnerable content management systems.
KashmirBlack also uses two bots that help it spread. A “spreading bot” communicates with the command-and-control server and reports back to its operators when a new server is ready to join the larger botnet. A “pending bot” awaits commands to decide if the compromised server should be used as part of the overall infrastructure or assigned to other tasks, such as mining for cryptocurrency, according to the report.
The botnet has load-balancing features to ensure it runs efficiently and that it can scale and add new exploits for vulnerabilities, the researchers say.
Move to the Cloud
The KashmirBlack botnet underwent a significant change in September when its operators moved the command-and-control server to Dropbox, which allows it to send and fetch commands more efficiently, according to the report.
“Moving to Dropbox allows the botnet to hide illegitimate criminal activity behind legitimate web services,” the report states. “It is yet another step toward camouflaging the botnet traffic, securing the [command-and-control] operation and, most importantly, making it difficult to trace the botnet back to the hacker behind the operation.”
For What Purpose?
The KashmirBlack botnet performs several functions, including sending out additional spam for its operators as well as defacing websites, according to the report.
In March, the botnet apparently added a cryptomining function, using XMRig malware to mine for monero. Imperva researchers traced this activity to a digital wallet.
Security researchers have spotted other botnet operators using XMRig for their own illegal virtual currency mining operations (see: Kubeflow Targeted in XMRig Monero Cryptomining Campaign).