Named KashmirBlack, the botnet started operating in November 2019.
Security researchers from Imperva —who analyzed the botnet last week in a two-part series— said the botnet's primary purpose appears to be to infect websites and then use their servers for cryptocurrency mining, redirecting a site's legitimate traffic to spam pages, and to a lesser degree, showing web defacements.
Imperva said the botnet started out small, but after months of constant growth, it has evolved into a sophisticated behemoth capable of attacking thousands of sites per day.
The biggest changes occurred in May this year when the botnet increased both its command-and-control (C&C) infrastructure, but also its exploit arsenal.
Nowadays, KashmirBlack is "managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure," Imperva said.
"[The botnet] handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet."
KashmirBlack expands by scanning the internet for sites using outdated software and then using exploits for known vulnerabilities to infect the site and its underlying server.
Some of the hacked servers are then used for spam or crypto-mining, but also to attack other sites and keep the botnet alive.
Since November 2019, Imperva says it has seen the botnet abuse 16 vulnerabilities: