New study about the emerging DDoS botnet known as Abcbot has revealed links with a cryptocurrency mining botnet attack.
Abcbot is a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud. The main idea of this threat is to download malware that co-opts the machine to a botnet. The attacks coming from this threat have first been reported by Qihoo 360’s Netlab security team in November 2021.
Trend Micro identified a previous version of this shell malware in October 2021 attacking vulnerable ECS instances within Huawei Cloud.
Unexpectedly, further research of this botnet has uncovered striking parallels between Abcbot’s code and that of a cryptocurrency mining operation known as Xanthe that spreads the infection through the use of misconfigured Docker implementations, including IP addresses, URLs, and samples.
From the details that have been revealed, it seems that the same threat actor is behind both Xanthe and Abcbot. What supports this conclusion is that, from the way the source code is formatted to the names given to routines, there is a wide range of semantic commonalities between these two malware families. For example, identical names such as “nameservercheck” are observed in both malware families and they both have the word “go” prefixed to their names (e.g., “filerungo”).
This only comes to support the thesis that the Abcbot version of the attack has undergone multiple iterations, each introducing new features.
Further analysis of malware artifacts revealed that the botnet was able to generate up to four new users, each with administrator privileges over the infected machine, under the disguise of generic names such as “autoupdater”, “logger”, “sysall”, and “system”, all in order to evade detection.
This is not the first time similarities are found between malware families. In fact, code reuse and even exact copying of malicious code is a common practice. From a development perspective, it makes sense, just as code for valid software is reused to save time, the same applies for malicious or illegal software, the research explains.