In this session we will expose the "KashmirBlack" botnet that infected hundreds of thousands of CMS platforms victims. It uses Plug&Play infrastructure which makes it easy to expand and add new exploits or payloads without much effort, and it uses sophisticated methods to camouflage itself, stay undetected, and protect its operation.

We will take you down the rabbit hole into our journey where we went undercover, deployed a honeypot and participated in the botnet, resulting in the exposure of the Indonesian hacker crew ‘PhantomGhost’.
By infiltrating into the botnet’s operation, we got a rare opportunity to witness its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay.

Explore the DevOps behind the botnet, discuss its purpose and go deep into the bits-and-bytes of the entities, the operation and the infection technique.

The KashmirBlack botnet utilizes dozens of known vulnerabilities on its victims’ servers, performing millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world.

It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 - mostly innocent surrogate - servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.