KashmirBlack ..|.. Botnet *

The highly-sophisticated botnet is believed to have infected hundreds of thousands of websites by attacking their underlying CMS platforms, according to US-based cyber security firm Imperva , named to be KashmirBlack. The main victims are Drupal, WordPress and its counts

The botnet’s prime purpose appears to infect websites, and then use their servers for cryptocurrency mining.

Hackers based on Indonesia has a base where Command&Control Infrastructure has been placed.

The botnet is the work of a hacker named “Exect1337“, a member of the Indonesian hacker crew PhantomGhost.

“The KashmirBlack C&C has three main roles: Supply a Perl script that infects the victim server with the botnet malicious script, receive reports of findings and attack results from bots and supply bots with attack instructions,” most of the victim site is from US

The KashmirBlack C&C has a scanner that searches for sites running CMS platforms, creates an attack instruction with the newly- found sites, and pushes it into a queue waiting for bots to receive them and attack.

The team found more than 20 distinct exploits.

PHPUnit Remote Code Execution – CVE-2017-9841
jQuery file upload vulnerability – CVE-2018-9206
ELFinder Command Injection – CVE-2019-9194
Joomla! remote file upload vulnerability
Magento Local File Inclusion – CVE-2015-2067
Magento Webforms Upload Vulnerability
CMS Plupload Arbitrary File Upload
Yeager CMS vulnerability – CVE-2015-7571
Multiple vulnerabilities including File Upload & RCE for many plugins in multiple platforms here
WordPress TimThumb RFI Vulnerability – CVE-2011-4106
Uploadify RCE vulnerability
vBulletin Widget RCE – CVE-2019-16759
WordPress install.php RCE
WordPress xmlrpc.php Login Brute-Force attack
WordPress multiple Plugins RCE (see full list here)
WordPress multiple Themes RCE (see full list here)
Webdav file upload vulnerabilit