Researchers found that the Abcbot Botnet is related with the Xanthe Cryptomining Malware

New study about the emerging DDoS botnet known as Abcbot has revealed links with a cryptocurrency mining botnet attack.


Abcbot is a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud. The main idea of this threat is to download malware that co-opts the machine to a botnet. The attacks coming from this threat have first been reported by Qihoo 360’s Netlab security team in November 2021.

Trend Micro identified a previous version of this shell malware in October 2021 attacking vulnerable ECS instances within Huawei Cloud.

Unexpectedly, further research of this botnet has uncovered striking parallels between Abcbot’s code and that of a cryptocurrency mining operation known as Xanthe that spreads the infection through the use of misconfigured Docker implementations, including IP addresses, URLs, and samples.

From the details that have been revealed,  it seems that the same threat actor is behind both Xanthe and Abcbot. What supports this conclusion is that, from the way the source code is formatted to the names given to routines, there is a wide range of semantic commonalities between these two malware families. For example, identical names such as “nameservercheck” are observed in both malware families and they both have the word “go” prefixed to their names (e.g., “filerungo”).

This only comes to support the thesis that the Abcbot version of the attack has undergone multiple iterations, each introducing new features.

Further analysis of malware artifacts revealed that the botnet was able to generate up to four new users, each with administrator privileges over the infected machine, under the disguise of generic names such as “autoupdater”, “logger”, “sysall”, and “system”, all in order to evade detection.

This is not the first time similarities are found between malware families. In fact, code reuse and even exact copying of malicious code is a common practice. From a development perspective, it makes sense, just as code for valid software is reused to save time, the same applies for malicious or illegal software, the research explains.


About the author


Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment