KashmirBlack abused to run ongoing cryptomining, spamming, and defacement attacks

UPDATED Security researchers have lifted the lid on a prolific botnet that relies on a decade-old vulnerability to infect popular Content Management Systems (CMS).

KashmirBlack exploits the long patched PHPUnit remote code execution (RCE) vulnerability (CVE-2017-9841) to infect systems running WordPress, Joomla, and other CMS platforms.

“The hacker is likely targeting CMS because they are notorious for poor cyber hygiene, as many people use old versions, unsupported plug-ins, and weak passwords,” according to security researchers at Imperva.

The cybersecurity firm went public with a technical write-up about the botnet on Thursday (October 22) following a six-month investigation.

The compromised network of CMS servers has been abused by cybercriminals for cryptomining, spamming, and defacement, with different payloads and instructions being delivered as the botnet abuse evolved over time.


The botnet, which first emerged in or around November 2019 and remains active, has spread across 30 countries and performs millions of attacks every day.

KashmirBlack is managed by a single command and control (C&C) server and uses more than 60 additional servers – mostly innocent surrogates – as part of its infrastructure.

It handles hundreds of thousands of bots, each communicating with the C&C server ​to receive new targets, perform brute-force attacks, install backdoors, and grow the botnet further still.

In addition, the botnet exploits a range of vulnerabilities to maintain persistence, so that it can stay undetected and protect its operation.

Using a CMS give advantages over the more conventional approach of building a botnet from hacked PCs, Imperva told The Daily Swig.

“A CMS server is the ideal vehicle for a botnet operation; it is always 'on' and operating,” Sarit Yerushalmi, a security researcher at Imperva, explained. “Typically, CMS servers often have more resources (memory, diskspace and CPU cores) than the average PC.

“Thus, when a hacker takes over the CMS server, they’re actually achieving more power and storage to use. We find that CMS platforms – because they are publicly accessible – are more visible and exposed to attacks than the average private PC,” she added.

Catch up on the latest cyber-attack news

The attack is likely linked to an Indonesian cybercrime group known for defacement, according to Imperva.

The threat intelligence team said they identified a member of ‘PhantomGhost’, an active hacking crew that typically focuses on defacement.

The hacker, ‘Exect1337’, allegedly left a marker within their code, which gave the botnet its name: ‘KashmirBlack’.


KashmirBlack is much more sophisticated than the average botnet. “It has a well-designed infrastructure that can expand and add new exploits or payloads without much effort,” according to Imperva.

The researchers created a honeypot of vulnerable systems to attract the botnet. Once infected, this allowed researchers to see exactly how the different entities that made up the botnet interacted with one another, effectively exposing the inner workings of KashmirBlack to scrutiny.

Three days after the honeypot was infected, the botnet maintainer apparently grew suspicious and updated the reporting address, freezing the researchers out – showing how quick and responsive the botnet is to outside threats, Imperva reports.

READ MORE Microsoft launches machine learning cyber-attack threat matrix

This limited timeframe was nonetheless long enough for Imperva’s researchers to uncover evidence of popular software development frameworks and methodologies – such as DevOps and Agile – being used to help the botnet adapt and evolve to new payloads and instructions.

KashmirBlack Uses repositories, such as GitHub, to store malicious code and script.

The botnet recently entered a new evolutionary stage by using a cloud-based service, Dropbox, to replace the C&C.

The botnet uses “sophisticated methods to camouflage itself, exploiting a range of vulnerabilities to maintain persistence, so that it can stay undetected and protect its operation,” according to Imperva.

The PHPUnit vulnerability allows direct RCE on the server in compare to other File Upload vulnerabilities used by the botnet where the attacker needs to take more actions in order to execute arbitrary code on the server.

Many of the vulnerabilities are not related to the core files but to third-party plugins shared by multiple CMS platforms. This makes the botnet more agile in term of targets and victims, according to Imperva.

"However, some of the vulnerabilities target specific CMS, such as: WordPress, Joomla and Magento," Yerushalmi said. "When you look at all vulnerabilities, we see that WordPress is more at risk than others – likely because of its popularity and large user base".

Zombie disinfection advice

Nadav Avital, head of threat research at Imperva, said: “If you discover that you are in the botnet, then you must kill the malicious processes and remove the malicious files and jobs. You will then need to investigate whether the infection has spread and compromised any other data or systems.”

Imperva emphasized that prevention of infection is better than cure.

“Organisations need to practice good cyber hygiene by removing unused plugins and themes; ensuring the CMS core files and third-party modules are always up to date and properly configured; denying access to sensitive files and paths, such as install.php, wp-config.php, and eval-stdin.php,” Avital advised.

An Imperva spokesperson told The Daily Swig that the “attack was spread across the major CMS platforms with no favourability towards any one. The highest propensity was WordPress and Joomla, because of their popularity and wide-spread use,” they added.

Use of strong and unique passwords on CMS servers – as a defense against brute-force attacks – and the deployment of a web application firewall are also recommended by Imperva as a general defense against KashmirBlack and similar threats.

This story has been updated and revised to add comments from Imperva

YOU MIGHT ALSO LIKE Vulnerable WordPress plugin could allow full site takeover