🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Home
Threat Intelligence Posts
Breach

KashmirBlack Botnet Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on KashmirBlack, infects sites that use outdated software, exploits CVE-2017-9841 in CMS platforms.
Updated on
April 19, 2023
Published on
October 30, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Type
 Botnet
Target
 Content Management System (CMS)
  KashmirBlack botnet has been active since November 2019 and is linked to an Indonesian hacker group known as PhantomGhost. Earlier the botnet's primary purpose was to infect websites and use their servers for cryptocurrency mining, redirecting legitimate traffic to spam pages and defacing websites. But in May of 2020 KashmirBlack underwent a couple of changes. The botnet now handles hundreds of bots, each communicating with the C2 server, performing brute force attacks, installing backdoors, and continuously expanding the size of the botnet.  KashmirBlack hunts for sites that use outdated software and then uses the exploits for known vulnerabilities, to compromise the site and its underlying server. Currently, botnet is targeting content management system (CMS) platforms. The botnet infects machines by exploiting a PHPUnit remote code execution vulnerability (CVE-2017-9841) in CMS platforms. Network of the botnet is spread across 30 countries, controlled by a single C2 server, with over 60 surrogate servers. The botnet utilizes several vulnerabilities to hide itself in compromised machines and maintain its operations. In addition to this, the botnet uses software development frameworks like DevOps and Agile to add new devices in it. Most businesses are affected because of the recent spike in the number of users leveraging CMS platforms to support remote work.[/vc_wp_text][vc_wp_text]

Impact

  • Botnet can be used to perform distributed denial of service (DDoS) attacks. 
  • Account credentials can be leaked leading to account takeovers.
  • Provides the attacker access to a device and its connection to a network.
[/vc_wp_text][vc_wp_text]

IOC

 
Spam bot - malicious and compromised files
  1. /index.php
  2. /priv_sym/conf.php
  3. /priv_sympy/sym.py
  4. /tmp/pear/download/imagick-3.4.4.tgz
  5. /wp-content/plugins/three-column-screen-layout/db.php
  6. /wp-content/plugins/wordfence/url/cach/classes/model/wp-pingg.php
  7. /wp-content/sqlapi.php
  8. /wp-content/themes/danfe/db.php
  9. /wp-content/themes/danfe/indx.php
  10. /wp-content/themes/danfe/ramage_Libytheidae.php
  11. /wp-content/themes/danfe/tbl_status.php
  12. /wp-content/themes/danfe/wp_class_datlib.php
  13. /wp-content/themes/danfe/wp-data.php
  14. /wp-load.php
  15. Files with prefix ‘original1.’
 
Known KashmirBlack IPs
  1. 101.50.3.132
  2. 160.153.192.222
  3. 198.1.98.189
  4. 35.240.254.161
  5. 103.11.75.15
  6. 161.189.159.172
  7. 198.37.123.60
  8. 35.242.128.177
  9. 103.116.16.67
  10. 161.189.202.40
  11. 198.57.247.202
  12. 35.244.124.106
  13. 103.145.226.104
  14. 162.144.18.118
  15. 198.58.99.254
  16. 35.244.72.212
  17. 103.147.154.41
  18. 162.144.68.170
  19. 199.101.100.123
  20. 35.247.132.6
  21. 103.21.58.29
  22. 162.214.71.13
  23. 199.101.100.124
  24. 35.247.160.99
  25. 103.229.72.13
  26. 162.241.143.7
  27. 199.188.200.224
  28. 35.247.185.96
  29. 103.229.72.89
  30. 162.241.156.242
  31. 199.79.62.126
  32. 37.187.163.201
[/vc_wp_text][vc_wp_text]

Mitigation

  1. Make sure CMS core files and modules are updated.
  2. Use strong passwords.
  3. Deploy web application firewall (WAF).
  4. Access should be denied or limited for sensitive files and paths such as wp-config.php, install.php, and eval-stdin.php.
  5. Keep your system updated and use antivirus software.
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Recent Posts

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action
November 15, 2023
CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks
November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations
Get started
Learn more