According to new research, the infrastructure underpinning a developing DDoS botnet known as Abcbot has been linked to a cryptocurrency-mining botnet attack discovered in December 2020. Attacks employing Abcbot were first revealed in November 2021 by Qihoo 360’s Netlab security team.
They’re triggered by a malicious shell script that targets insecure cloud instances operated by cloud service providers like Huawei, Tencent, Baidu, and Alibaba Cloud. It also downloads malware that turns the machine into a botnet but not before terminating processes from competing threat actors and establishing persistence.
The shell script in question is an updated version of one found by Trend Micro in October 2021, which targeted Huawei Cloud’s vulnerable ECS instances. However, further examination of the botnet using all known Indicators of Compromise (IoCs), such as IP addresses, URLs, and samples, revealed Abcbot’s code and feature-level similarities to that of a cryptocurrency mining operation known as Xanthe, which spread the infection using incorrectly configured Docker implementations.
“The same threat actor is responsible for both Xanthe and Abcbot and is shifting its objective from mining cryptocurrency on compromised hosts to activities more traditionally associated with botnets, such as DDoS attacks,” Cado Security’s Matt Muir said in a report.
The semantic similarities between two malware families range from the way the source code is formatted to the names given to routines, with some features having not only identical names and implementations (e.g., “nameservercheck”) but also the word “go” attached to the end of the function names (e.g., “filerungo”).
Muir clarified that this might mean that the Abcbot version of the function has been iterated numerous times, with additional functionality being added each time. In addition, a thorough investigation of the malware artifacts showed the botnet’s capacity to spawn up to four users on its own, employing generic, inconspicuous names such as “logger,” “autoupdater,” “sysall,” and “system” to evade detection, then adding them to the sudoers file to give the infected system’s rogue users administrative rights.
Muir said that code repetition and even like-for-like copying is common among malware families and individual samples on every platform. It makes sense from a development standpoint; just as valid software code is reused to reduce development time, illegitimate or malicious software code is reused to save development time.
