KashmirBlack Botnet Description
Researchers have unearthed the activities of a highly-sophisticated botnet that they have named KashmirBlack. The botnet has global reach and is responsible for millions of attacks carried out every day. The hackers behind the operations can use the established botnet to deploy crypto-miner payloads on the compromised devices, deliver vast volumes of spam or conduct defacement campaigns against specific targets.
KashmirBlack has been operational since at least November 2019 and so far managed to enslave hundreds of thousands of computers controlled by a single Command-and-Control (C&C, C2) server. The compromise vector abused by the hackers to propagate their botnet is through a PHPUnit RCE vulnerability that is found in popular content management system (CMS) programs. Although the vulnerability is nearly a decade old, it can affect millions of users potentially due to companies being forced to develop online environments for their workers as a result of the COVID-19 pandemic hastily.
The gateway vulnerability may be old, but KashmirBlack's other characteristics are ahead of the curve definitely. The hackers have used DevOps techniques to establish a sophisticated infrastructure that is, at the same time, extremely flexible. This allows KashmirBlack to be equipped with new capabilities, malware payloads, and vulnerabilities to exploit rapidly. The added flexibility means that the criminals could modify the C&C infrastructure of the botnet easily and be able to transfer their repositories of corrupted code from one service to another quickly. Such a move was already observed when KashmirBlack moved from GitHub to Dropbox in an attempt to hide their activity better.
The criminals behind the botnet are indeed skilled extremely, and they are keeping a close eye on any potential infosec analysts' actions. Apparently, KashmirBlack's to the honeypot servers set up by the cybersecurity researchers was blocked just three days after the initial contact.
For now, the hacker group PhatomGhost is the most likely culprit behind the KashmirBlack botnet. Based in Indonesia, it is known for carrying out defacement campaigns.