CrimeOps of the KashmirBlack Botnet: Sarit Yerushalmi and Ofir Shaty

hi everyone today we're going to talk about the crime ups of the cashmere black botnet but first let me introduce myself my name is sarit and i'm a security researcher at imperia for the last 10 years i mainly focus in web application security and i develop algorithms to detect and protect against attacks my colleague of fear is a security researcher for the last five years his focus is in database and web application security before diving into the bits and bytes of our research i would like to introduce you with the kashmir black botnet so it all started on november 2019 and last 11 months which is basically a research period of time we discover a botnet that attacks

popular cms platforms such as wordpress joomla magento etc in more than 30 different countries around the world it performs millions of attacks per day on average and we calculated that there were hundreds of thousands of bots out there participated in the budget operation the bots utilize dozens of non-vulnerabilities with different attack types like file upload remote code execution and many more this session is a journey into the botnet core from the attacker point of view so let's start security research investigation can sometimes be like a crime scene investigation but our crime scene is spread all over the network with nobody in place so we need to collect the clues and fingerprints to construct a picture of the virtual

crime as part of a study carried out at imperva we observed around 9 million attack attempts exploiting php unit remote code execution and we were wondering why is this cve so popular among attackers to understand the site we started to analyze attacks from our data lake we saw different ips using the same payload over and over again attacking different customers which remind us a abutment behavior so we decided to download the payload and dive in and we basically started the mapping step we downloaded the code and perform analysis we revealed all the entities of the operation and later i will talk about them in further detail the next step we took was infiltrate we saw that the butler is updating on a

regular basis and we decided to act like a bot and gather these updates for later analysis and finally we play the victim we created the honeypot in order to understand the past exploitation stage so let's review all those entities that play a role in this massive operation when looking at the botanist entities we can split them into three groups the bonnet infrastructure the buttoned third party services and the budget actors inside the butted infrastructure we have the cnc and repositories nb under the third party services we have github baseband and drawbox that the attacker use in one hand to camouflage his operation and on the other hand to make the button more flexible under the bonnet actors we have the

victim and two types of bots pending and spreading and i will describe the difference between them later in their presentation the first entity in the botnet infrastructure which is responsible for the entire operation is the command control and here we can see the login screen of the cnc the kashmir black cnc is located in indonesia and has three main roles it supplies attack instructions to bots it receive attack reports from bots and it supplies a malicious script that infects the victim server here we can see a snapshot of the infection script the attacker defines a parameter that represents a crontab task and the task contained contains a python script and scheduled to run every three

minutes it includes several imports and uses base64 encoding to obfuscate his malicious payload we can also see that the output of this task will be sent to dev now so no history will be saved in the next code block the attacker redefines the victim's ground task to include the the malicious python task that we just saw in the previous uh section and as part of this redefinition the attacker make sure to remove all mail notifications let's move to the repositories the original repository a as you can see is a printer component shopping site it was hacked by the attacker and was used to store the communication script file to communicate with the cnc another type of repository entity in the

botnet is repository b which is a site that was classified as an educational institute and was used by the attacker to store bundles of exploit and payloads here is an example of the exported payload bundles the attacker files are located under the css path among other css files used by this innocent web server we can see that the name of the bundle files start with the in-memory prefix and they are actually zip files hidden with the css extension and here is their modification date one of the best qualities in this botnet is that the infrastructure is just like plug-and-play the attacker can expand his target victims by adding new payloads just by uploading them here

under the css directory no infrastructure changes are required and every file represents an exploit that targets a specific vulnerability here is a partial list of cves the botnet uses as part of its operation among them we can see remote code execution file upload remote code remote file include and many more and this vulnerabilities are related to different plugins widgets and things and we can say that the conclusion here is that it's not necessary to use exotic payloads exploits sorry in order to expand the botnet moving to the cloud-based services another type of entity used by this attacker is github it was used as a version control to store some of his files and when we checked the repository we

saw b3 web shells and cryptominers and we can say that by using github the botnet achieves a layer of flexibility the attacker can easily update a file in this repository without interfering with the button activity another entity is spacebeam which is is a website that allows anonymous users to share plain text through public posts they call paste that i could use this space as a quick and easy way to access and download backdoors through the infection step in the botnet operation and later we will show how dropbox was used in order to upgrade a botnet hide the operation behind legit cloud services and also to secure the cnc now let's talk about the two types of

bots first the spreading bot this bot constantly communicates with the cnc to receive attack instructions those are comments from the cnc telling him who to attack and how this bot is being used to infect new machines and expand the botnet a victim that was infected by the spreading bot can become one of two a spreading bot or a pending bot now let's talk about the pending bot as i said before this bot is a victim site that was infected by a spreading bot the one that appears here and as a result is under the control of the cnc it stays in idle mode until the cc approaches and changes purpose and this is actually why we named it

pending bot and i will talk about the purpose in a bit and the difference between these two is that the pending bot does not initiate communication with the cnc moving to the catchment black botnet scope the infiltrate step the best way to learn of organization is to be part of it same for learning about the botnet operation we call it the infiltrate step once we mapped all the entities of the botnet we wanted to understand the scope of the botnet its victims their attacks and the evolution and to answer those questions we had to take a more active approach to the investigation we land a communication protocol between the bot and the c c and we mimicked it we infiltrated the

botnet by constant communication with the cnc we went undercover and impersonated a spreading bot in the botnet and without actually attacking any targets we started to collect information about the botnet victims we can see in the picture an example of an of attack instruction in json format received from the cnc the first parameter the script contains the commands that will be executed by the spreading bot first it will it will run the curl command to download the export payload bundle that will be used to infect the victim and here is the name of the file to download we can see it it's located under the css directory in repository b the one i just showed

you the second parameter the payload contains a list of victim sites that will be attacked by the spreading bot and the last parameter is the hostname or the ip that hosts all those all those victim sites moving to the botanic purpose in order to understand the purpose of those victims as pending bots we had to become a victim of self so we created the cms honeypot and attacked it with our spreading bot from the infiltration step then we reported back to the cnc of a successful attack and by that our honeypot became a pending bot in the cashmere black botnet waiting for the cnc to approach we saw five types of purposes for the botnet

about the first two we already discussed those are the pending bot and the spreading bot so we'll talk about the others an exciting purpose we observed is the cryptominer that mines monero coins as part of the code analysis we did we got access to the hacker's payment address and we could see his balance in real time the next purpose was discovered as a result of our seamless honeypot that was converted into a clickbait bot when we tried to access the honeypot login page we were redirected to one of many clickbank sites and the last purpose is defacement once we saw the defacement signature we discovered the nickname of the hacker behind the botnet we also discovered that he is part of

the indonesian hacker crew phantom ghost searching the internet we found out even more interesting information about the crew like the facebook page and even an online shop that sells the phantom girl screw t-shirts now after we are familiar with all the entities off we will continue and show the entire operation in life thank you sarit and hi everyone so how this botnet works it all starts when a bot exploits php unit remote code execution on a victim server it causes the victim server to download the infection script from the cnc and execute it now the infected server will approach repository a every three minutes to download the fresh communication script in this stage we can say that the victim

server is part of the kashmir black botnet the newly infected bot communicates with the cnc to get attack instructions that describe who to attack and which bundle to use then the bots downloads the bundle from repository b and additional payloads from github and psp then the bot attacks the victim and on successful attack it will become part of the botnet as the last step in the process the bot reports back to the cnc now that we are familiar with operation we can move on and describe the evolution of the botnet over the research period and the devops strategy that enable it to carry out its crimes remember that the botnet had only one repository for a and b

once the botnet size increased so did the load on the repositories in addition since the repositories were actually legitimate sites they couldn't be considered as permanent and reliable entities the attacker had to take action three changes were implemented in the botnet infrastructure to solve this adding new entity repository a load balancer expand repository a into multiple repositories and expand repository b there were three main reasons behind these changes to make the botnet more dynamic and scalable add redundancy and load balancing the following diagram shows the old infrastructure against the new one while in the old infrastructure every bot will address directly because repository a in the new one each bot will address the load balancer

to get one of many repositories to integrate this change into the botnet operation an additional change in the botnet was required we will discuss this change later on now let's talk about internal changes that were made in order to secure the cnc and the botnet operation the cnc is the most sensitive and critical component in the entire operation securing it is critical let me take you back a little bit to the steps where we infiltrated the botnet and play the victim we created the honeypot we attacked it with our spreading bot and reported back to the cmc we believe that the attacker grew suspicious as he performed two internal changes in order to avoid interfering

with the cnc the reporting address was changed and both ip tracking mechanism was added first change is related to the reporting address this change helps with managing bots versions but the report to the new address is a new part second change is within the botnet's communication script it was updated with a bot tracking mechanism a simple arctic tool change adds the bot's ip and country while it communicates with the cnc it allowed the cnc to track and monitor the operation of each bot in the botnet there are two goals behind this mechanism the first is to secure the botnet and the second is to manage bots versions and upgrades now let's see how it comes to work

the changes that we described created the situation where some bots were using the new infrastructure while others were only aware of the old one this diagram described the agree process on the left side you can see the old infrastructure when an old bot communicates with the cnc without the ip tracking header the sensing returns sends back attack instruction that will instruct the bot to to download the upgrade script from repository b once the bot will execute those the script it will turn into a new bot that is now aware of the new infrastructure on the right side the upgraded bot address the load balancer to choose one of many repositories now let's talk about migrating the cnc

to a cloud-based service there are fundamental problems in the botnet architecture since bots communicating directly with the cnc and the repositories their ip is exposed and security controls may block them an interesting infrastructure change has evolved to solve this problem integrating dropbox into the operation instead of communicating directly with the infrastructure entities the cnc and the repositories the bots are now communicating only with dropbox now dropbox api is being used to fetch attack instructions and upload reports this is a big step towards camouflaging the botnet traffic securing the cnc operation and most importantly making it difficult to trace back to the hacker behind the operation now let's discuss some key takeaways botnet deployment is similar to

application development process there are some important key features we need to consider in order to create a stable botnet that is here to stay those are stability flexibility and cicd in order to create a stable botnet we need to take into consideration load balancing and redundancy enabling scalability while growing in other words stability is the foundation that enables the partner to exist but this is not enough the separation of the exploits from the infrastructure enables maximum flexibility as the attacker can add new exploits anytime together those two key features are the basics of the ability to grow and expand on the other hand we have the clcd branch that enables the version control that includes version control

and deployment cycles we call it automation behind every massive operation we must have an automatic process to support it expansion and growth cannot exist without a solid cicd process now let's talk about the insider point of view as a security company we have data of hundreds of thousands of customers where we can see attack in the wild but this is not good enough since our data is biased by our customers here are a couple of advantages we got from the insider point of view so being inside the botnet operation gave us an advantage in the analysis as we could see the big picture and not just a small portion of the infection we watched the botnet operation and

evolution from the first role we saw new repositories exploits and payloads added in real time by by analyzing the code changes we concluded what motivated the attacker to perform such changes we had a unique foothold that enabled us to analyze the victims from the attack instructions extracting country platform domains etc the inside intelligence led us to the educated assumption that there is kind of an automated mechanism that searches for potential vulnerable targets and initiate them in in the queue in the cnc analyzing the exploit distribution explains explain which exploits are in use and the distribution of usage what is the frequency that they are being used and which are more common than others all of this information is accessible

only from the insider point of view and it is critical in order to understand the scope of the operation the motivation and challenges of the attacker now let's sum everything that we talked about in a botnet development the attacker wearing multiple heads the attacker is the developer the architect and the devops the usage of third-party services are critical part of the infrastructure in terms of camouflaging the botnet and bypass security controls and it is not necessary to use exotic exploits in order to expand so what can we do to prevent infection first make sure that you are up to date with the latest security patches and that there are no unused or unsupported plugins installed

that might increase your attack surface in terms of research first we need to map all the entities we need to learn the botnet communication protocol and last visibility is essential to understand the big picture you are probably wondering what is the current state of the kashmir black botnet so when we decided that our research has come to an end we collected ip's hostnames hosting services and every possible piece of information from bots repositories cnc and entities we notified the owners of the infectious server infected service and hosting services about the malicious activity and today the kashmir black botnet is dead at least as we know it we checked our data lake and we couldn't find any

traces of new infections thank you very much for listening to our talk about the kashmir black botnet feel free to contact us if you have any questions for additional information you can read the two blogs that we wrote just search for cashmereblack.net on imperva's site thank you thank you