Abcbot Botnet Linked to Operators of Xanthe Crypto Mining Malware
Reading Time: 2 minutes

According to security researchers, Abcbot Botnet is an emerging DDoS botnet linked to operators of Xanthe crypto-mining malware.

Qihoo 360’s Netlab security team in November 2021, uncovered the attacks involving Abcbbot. The attacks are triggered via a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud. This enables the attackers to download malware that co-opts the machine to a botnet, after terminating processes from competing threat actors and establishing persistence.

The current shell script is an iteration of an earlier version earlier discovered by Trend Micro in October 2021 hitting vulnerable ECS instances inside Huawei Cloud.

On further investigating all known Indicators of Compromise (IoCs), including IP addresses, URLs, and samples, the researchers have discovered feature level similarities between Abcbot’s code and a cryptocurrency mining operation dubbed Xanthe that exploited incorrectly-configured Docker implementations to propagate the infection.Abcbot Botnet Linked to Operators of Xanthe Crypto Mining Malware_1Cado Security’s Matt Muir in a report said, “The same threat actor is responsible for both Xanthe and Abcbot and is shifting its objective from mining cryptocurrency on compromised hosts to activities more traditionally associated with botnets, such as DDoS attacks.” 

There are many similarities between the two malware variants such as the source code is formatted to the names given to the routines, with some functions not only sporting identical names and implementation (e.g., “nameservercheck”). They also have the word “go” appended to the end of the function names (e.g., “filerungo”).

Muir further added, “This could indicate that the Abcbot version of the function has been iterated on several times, with new functionality added at each iteration.” 

Digging deep into the finding the malware artifacts revealed the botnet’s capability to create as many as four users of their own by using generic, inconspicuous names like “autoupdater,” “logger,” “sysall,” and “system” to avoid detection. Later these were added to the sudoers file to give the rogue users administrative powers over the infected system.

Muir explained, “Code reuse and even like-for-like copying is often seen between malware families and specific samples on any platform. It makes sense from a development perspective; just as code for legitimate software is reused to save development time, the same occurs with illegitimate or malicious software.”

Related Articles:
FBI – Hackers Mailing Malicious USB Sticks to Businesses
Critical RCE Flaw similar to Log4Shell Discovered in H2 Database Console
Latest Trick can let Malware Fake iPhone Shutdown to Spy on Users Secretly