Schedule a demo

KashmirBlack Botnet Threat Intel Advisory

Summary

CloudSEK Threat Intelligence Advisory on KashmirBlack, infects sites that use outdated software, exploits CVE-2017-9841 in CMS platforms.
Type
 Botnet
Target
 Content Management System (CMS)
  KashmirBlack botnet has been active since November 2019 and is linked to an Indonesian hacker group known as PhantomGhost. Earlier the botnet's primary purpose was to infect websites and use their servers for cryptocurrency mining, redirecting legitimate traffic to spam pages and defacing websites. But in May of 2020 KashmirBlack underwent a couple of changes. The botnet now handles hundreds of bots, each communicating with the C2 server, performing brute force attacks, installing backdoors, and continuously expanding the size of the botnet.  KashmirBlack hunts for sites that use outdated software and then uses the exploits for known vulnerabilities, to compromise the site and its underlying server. Currently, botnet is targeting content management system (CMS) platforms. The botnet infects machines by exploiting a PHPUnit remote code execution vulnerability (CVE-2017-9841) in CMS platforms. Network of the botnet is spread across 30 countries, controlled by a single C2 server, with over 60 surrogate servers. The botnet utilizes several vulnerabilities to hide itself in compromised machines and maintain its operations. In addition to this, the botnet uses software development frameworks like DevOps and Agile to add new devices in it. Most businesses are affected because of the recent spike in the number of users leveraging CMS platforms to support remote work.[/vc_wp_text][vc_wp_text]

Impact

  • Botnet can be used to perform distributed denial of service (DDoS) attacks. 
  • Account credentials can be leaked leading to account takeovers.
  • Provides the attacker access to a device and its connection to a network.
[/vc_wp_text][vc_wp_text]

IOC

 
Spam bot - malicious and compromised files
  1. /index.php
  2. /priv_sym/conf.php
  3. /priv_sympy/sym.py
  4. /tmp/pear/download/imagick-3.4.4.tgz
  5. /wp-content/plugins/three-column-screen-layout/db.php
  6. /wp-content/plugins/wordfence/url/cach/classes/model/wp-pingg.php
  7. /wp-content/sqlapi.php
  8. /wp-content/themes/danfe/db.php
  9. /wp-content/themes/danfe/indx.php
  10. /wp-content/themes/danfe/ramage_Libytheidae.php
  11. /wp-content/themes/danfe/tbl_status.php
  12. /wp-content/themes/danfe/wp_class_datlib.php
  13. /wp-content/themes/danfe/wp-data.php
  14. /wp-load.php
  15. Files with prefix ‘original1.’
 
Known KashmirBlack IPs
  1. 101.50.3.132
  2. 160.153.192.222
  3. 198.1.98.189
  4. 35.240.254.161
  5. 103.11.75.15
  6. 161.189.159.172
  7. 198.37.123.60
  8. 35.242.128.177
  9. 103.116.16.67
  10. 161.189.202.40
  11. 198.57.247.202
  12. 35.244.124.106
  13. 103.145.226.104
  14. 162.144.18.118
  15. 198.58.99.254
  16. 35.244.72.212
  17. 103.147.154.41
  18. 162.144.68.170
  19. 199.101.100.123
  20. 35.247.132.6
  21. 103.21.58.29
  22. 162.214.71.13
  23. 199.101.100.124
  24. 35.247.160.99
  25. 103.229.72.13
  26. 162.241.143.7
  27. 199.188.200.224
  28. 35.247.185.96
  29. 103.229.72.89
  30. 162.241.156.242
  31. 199.79.62.126
  32. 37.187.163.201
[/vc_wp_text][vc_wp_text]

Mitigation

  1. Make sure CMS core files and modules are updated.
  2. Use strong passwords.
  3. Deploy web application firewall (WAF).
  4. Access should be denied or limited for sensitive files and paths such as wp-config.php, install.php, and eval-stdin.php.
  5. Keep your system updated and use antivirus software.

Table of Contents

Try XVigil for free

Request an easy and customized demo for free

Be informed in your Inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Subscribe now
Join the Discussions
Discuss your way into our Community about these threats and stay Vigilant and informed.
Discuss Now