 Today, we're going to talk about the crime of the Kashmir Black Botanist. But first, let me introduce myself. My name is Sarit, and I'm a security researcher at Imperva for the last 10 years. I am any focus in web application security, and I develop algorithms to detect and protect against attacks. My colleague of fear is a security researcher for the last five years. His focus is in database and web application security. Before diving into the bits and bytes of our research, I would like to introduce you with the Kashmir Black Botanist. So it all started on November 2019 and last 11 months, which is basically a research period of time. We discover botnet that attacks popular CMS platforms, such as WordPress, Joomla, Magento, et cetera, in more than 30 different countries around the world. It performs meals of attacks per day on average, and we calculated that there were hundreds of thousands of bots out there participating in the botnet operation. These bots, they utilize dozen of non-virtual abilities with different attack types, like file upload, remote code execution, and many more. This session is a journey into the botnet core from the attacker point of view. So let's start. Security research and investigation can sometimes be like a crime scene investigation, but our crime scene is spread all over the network. With nobody in place. So we need to collect the clues and fingerprints to construct a picture of the virtual crime. As part of the study carried out at Imperva, we observed around 9 million attack attempts exploiting PHP unit remote code execution. And we were wondering, why is this CV so popular among attackers? To understand this hype, we started to analyze attacks from our data lake, and we saw different IPs using the same payload over and over again, attacking different customers, which remind us a botnet behavior. So we decided to download the payload and dive in. And we basically started the mapping step. We downloaded the code and performed analysis. We revealed all the entities of the operation, and later we'll talk about them in further detail. Then the next step we took was infiltrate. We saw that the botnet is updating on a regular basis. So we decided to act like a bot and gather these updates for a later analysis. And finally, we played a victim. We created a Hanipot in order to understand the post-exploitation stage. So let's review all those entities that play a role in this massive operation. When looking at the botnet entities, we can split them into three groups. The botnet infrastructure, the botnet third-party services, and the botnet actors. Inside the botnet infrastructure, we have the CNC and Repositories ANB. Under the third-party services, we have GitHub, Pastebin, Dropbox that are used in one hand to conflate this operation, and on the other hand, to make the botnet more flexible. And under the botnet actors, we have the victim and two types of bots, pending and sprending. And I will describe the difference between them later on. The first entity in the botnet infrastructure, which is responsible for the entire operation, is the command control. And here we can see the login screen of the CNC. The Kashmir Black CNC is located in Indonesia and has three main walls. It supplies attack instructions to bots. It receives attack reports from bots. And it supplies a malicious script that infects the victim server. Here is a snapshot of the infection script. We can see that the attacker defines a parameter that represents a crontop task. And this task contains a Python script and scheduled to run every three minutes. It also includes some several imports and it uses basic C4 encoding to obfuscate this malicious payload. The output of this task will be sent to Dev now so no history will be saved. In the next code block, the attacker redefines the victim's crontop task to include this malicious Python task. And as part of this redefinition, the attacker makes sure to remove all main notifications. Let's move to the repositories. The original repository A, as you can see, is a printer component shopping site. It was hacked by the attacker and was used to store the communication script file to communicate with the CNC. Another type of repository entity in the botnet is repository B, which is a site that was classified as an educational institute. It was used by the attacker to store bundles of exploits and payloads. And here is an example of the export and payload bundles. The attacker files are located under the CSS path among other CSS files that are being used by the innocent web server. The name of those bundle files start with the in-memory prefix and they're actually zip files hidden with the CSS extension. And here is their modification date. One of the best qualities in this botnet is that the infrastructure is just like plug and play. The attacker can expand his target's victims and add new payloads and new exploits by uploading the new flights here. And no infrastructure changes are required. Every file here represents an exploit that targets a specific vulnerability. Here is a partial list of CVs the botnet uses as part of its operation. And we can see among them some remote code execution, file upload, remote file include and many more. And we can say that these vulnerabilities are related to different plugins, widgets and things. And the conclusion here is that it's not necessary to use exotic exploits in order to expand the botnets. Moving to the cloud-based services. Another type of entity used by the attacker is GitHub. It was used as a version control to store some of its files. And when we check the repositories, we saw P3 web shells and crypto miners. And we can say that by using GitHub, the botnet achieves a layer of flexibility as the attacker can easily update to find this repository without interfering with the botnet activity. Another entity is Spacebin, which is a website that allows anonymous users to share plain text through public posts they called pastes. The attacker used this space as a quick and easy way to access and download backdoors in the infection step in the botnet operation. And later, we will show how Dropbox was used in order to upgrade the botnet hide operation behind legit cloud services and also to secure the CNC. Now, let's talk about the two type of bots. First, the spreading bot. This bot constantly communicates with the CNC to receive attack instructions. There was a comment from the CNC telling him who to attack and how. This bot is used to infect new machines and expand the botnet. A victim that was infected by the spreading bot can become one of two, a spreading bot or a pending bot. Now, let's talk about the pending bot. As I said before, this bot is a victim site that was infected by spreading bot. They wanted to appear here. And as a result is under the control of the CNC. And it stays in idle mode until the CNC approaches and changes purpose. And this is actually why we named it pending bot. And I will talk about the purpose in a bit. The difference between them is that pending bot does not initiate communication with the CNC. Moving to the Kashmir Black Botnet scope, the infiltrate step. The best way to learn of organization is to be part of it. Same for learning about the botnet operation. And we call it the infiltrate step. Once we mapped all the entities of the botnet, we wanted to understand the scope of the botnet, its victims, the attack and its evolution. And to answer those questions, we had to take a more active approach to the investigation. We learned the communication particle between the bot and the CNC and we mimicked it. We infiltrated the botnet by constant communication with the CNC. We went undercover and impersonated a spreading bot in the botnet. And without actually attacking any targets, we started to collect information about the botnet victims. We can see this picture, an example of attack instruction in JSON format received from the CNC. The first parameter, the script, contains the command that will be executed by the spreading bot. First, it will run the curl command to download the X-Point payload bundles that will be used to infect the victim. And here is the name of the file to download. We can also see that it's located under the CSS directory in repository B, the one I just showed you. The second parameter, the payload, contains a list of victim sites that they will be attacked by the spreading bot. And the last parameter is the host name or IP that hosts all those victim sites. Now let's move to the botnet purpose. In order to understand the purpose of those victims as pending bots, we had to become a victim ourselves. So we created a CMS Hanipot and attacked it with our spreading bot from the infiltration step. Then we reported to the CNC of a successful attack. And by that, our Hanipot became a pending bot in the Kashmir Black Botnet, waiting for the CNC to approach. And we saw five types of purposes for the botnet. About the first two, we already discussed. Those are the pending bot and the spreading bot. So we'll talk about the others. An exciting purpose we observed is the crypto miner that mines Monero coins. As part of the code analysis we did, we got access to the hacker's payment address. And we can see his balance in real time. The next purpose we discovered was a result of our CMS Hanipot. It was converted into a clickbait bot. And when we tried to access the Hanipot's login page, we were redirected to one of many clickbait sites. The last purpose is defacement. Once we saw the defacement signature, we discovered the nickname of the hacker behind the botnet. We also discovered this is part of the Indonesian hacker crew, Phantom Ghost. By searching the internet, we found out even more interesting information about the crew, like the Facebook page, and even an online shop that sells the Phantom Ghost crew t-shirts. Now, after we're familiar with all the entities, we'll continue and show the entire operation in live. Thank you, Sarit. And hi, everyone. So how this botnet works? It all starts when a bot exploits PHP unit remote code execution on a victim server. It causes the victim server to download an infection script from the CNC and execute it. Now, the infected server will approach Repository A every three minutes to download a fresh communication script. In this stage, we can say that the victim server is part of the Kashmir Black Botnet. Now, the newly infected bot communicates with the CNC to get attack instructions describing who to attack and which bundle to use. The bot downloads the bundle from Repository B and additional payloads from GitHub and Pasteb. Now, the bot attacked the victim. And on successful attack, it will become part of the botnet. As a last step in the process, the bot reports back to the CNC. Now, that we are familiar with the operation, we can move on and describe the evolution of the botnet over the research period and the DevOps strategies that enables it to carry out its crimes. Do you remember that the botnet had only one repository, A and B? So once the botnet size increased, so did the load on the repositories. In addition, since the repositories were actually legitimate sites, they couldn't be considered as permanent and reliable entities. The attacker had to take action. Three changes were implemented in the botnet infrastructure. Adding new entity, Repository A load balancer, expand Repository A into multiple repositories, and expand Repository B. There were three main reasons behind these changes. Make the botnet more dynamic and scalable, add redundancy, and load balancing. The following diagram shows the old infrastructure against the new one. While in the old infrastructure, every bot will address directly the Repository A. In the new one, each bot will address the load balancer and will get in return one of many repositories. To integrate this change into the operation, an additional change in the botnet was required. We will discuss this change later on. Now, let's talk about internal changes that were made in order to secure the CNC and the botnet operation. So the CNC is the most sensitive and important component in the entire operation. Securing it is critical. Let me take you back a little bit to the steps where we infiltrated the botnet and played the victim. So we created a honeypot, attacked it with our spreading bot, and reported back to the CNC. We believe that the attacker was suspicious as he performed two internal changes in order to avoid interfering with the CNC. Reporting address was changed and bot IP tracking mechanism was added. The first change is related to the reporting address. This change helps with managing bots and versions. A bot that report to the new address is a new bot. Second change is within the botnet communication script. It was updated with a bot tracking mechanism. A simple architectural change adds the bot's IP and country while it communicated with the CNC. It allowed the CNC to track and monitor the operation of each bot in the botnet. There are two goals behind this mechanism. The first is to secure the botnet and the second is to manage bots, versions and upgrades. Now, let's see how it comes to work. So the changes that we described created the situation where some bots were using the new infrastructure while others were only aware of the old one. This diagram described the upgrade process. On the left side, we can see the old infrastructure. When an old bot communicates with the CNC without the IP tracking header, the CNC returns sends back attack instruction that instruct the bot to download the upgrade script from repository B. Once the bot executes the upgrade script, it turns into a new bot that is now aware of the new infrastructure. On the right side, the upgraded bot addresses the load balancer to choose one of many repositories. Now, let's talk about migrating the CNC to a cloud-based service. There are fundamental problems in the botnet architecture since bots communicate directly with the CNC and the repositories. Their IP is exposed and security controls may block them. An interesting infrastructure change has evolved to solve this problem. Integrating Dropbox into the operation. Instead of communicating directly with the infrastructure entities, the CNC and the repositories, the bots are now communicating only with Dropbox. Now, Dropbox API is being used to fetch attack instructions and to upload reports from bots. This is a big step towards counter-flushing the botnet traffic, securing the CNC operation, and most importantly, making it difficult to trace back to the hacker behind the operation. Now, let's discuss some key takeaways. Botnet deployment is similar to application development process. There are some important key features we need to consider in order to create a stable botnet that is here to stay. So those are stability, flexibility, and CICD. In order to create a stable botnet, we need to take into consideration load balancing and redundancy, enabling scalability while growing. In other words, stability is the foundation that enables the botnet to exist. But this is not enough. The separation of the exploits from the infrastructure enables maximum flexibility as the attacker can add new exploits anytime. Together, those two key features are the basis of the ability to grow and expand. On the other hand, we have the CICD branch that includes version control and deployment cycles. We call it automation. Behind every massive operation, we must have an automatic process to support it. Expansion and growth cannot exist without a solid CICD process. Now, let's talk about the insider point of view. As a security company, we have data of hundreds of thousands of customers where we can see attack in the wild. But this is not good enough since our data is biased by our customers. Here are a couple of advantages we got from the insider point of view. I think inside the botnet operation gave us the advantage in the analysis as we could see the big picture and not just a small portion of the infection. We watched the botnet evolution from the first row. We saw new repositories, exploits and payloads added in a real time. And by analyzing the code changes, we concluded what motivated the attacker to perform such changes. We had a unique foothold that enabled us to analyze the victims from the attack instructions, extracting the country, the platforms, domains, et cetera. The inside intelligence led us to the educated assumptions that there is kind of an automated mechanism that searches for potential vulnerable targets and initiate them inside the queue in the CNC. Analyzing the exploit distribution explains which exploits are in use and the distribution of usage. What is the frequency that they are being used and which are more common than others? All of this information is accessible only from the insider point of view. And it is critical in order to understand the scope of the operation, the motivation and challenges of the attacker. Now, let's sum up everything that we talked about. So in a botnet development, the attacker wearing multiple hats. The attacker is the developer, the architect and the DevOps. Usage of third-party services are a critical part of the infrastructure in terms of cumfledging the botnet and bypass security controls. And it is not necessary to use exotic exploits in order to expand. So what can we do to prevent infection? First, make sure that you are up to date with the latest security patches and that there are no unused or unsupported plugins installed that may increase your attack surface. In terms of research, first, we need to map all the entities. We need to learn the botnet communication protocol and last, visibility is essential to understand the big picture. So you're probably wondering what is the current state of the Kashmir Black Botnet? So when we decided that our research has come to an end, we collected IPs, hosting services and every possible piece of information from bots, repositories, CNC and entities. We notified the owners of the infected servers and hosting services about the malicious activity and today, the Kashmir Black Botnet is dead. At least as we know it, we checked our data lake and we couldn't find any traces of new infections. So thank you very much for listening to our talk about the Kashmir Black Botnet. Feel free to contact us if you have any questions and if you want additional information, you can read the two blogs that we wrote, just search for Kashmir Black Botnet in the perverse site. Thank you.