Cybersecurity researchers have discovered a new malware botnet that has been exclusively targeting the architecture of Chinese cloud hosting companies in recent months.
The botnet, dubbed Abcbot, has attacked servers hosted by Alibaba Cloud, Baidu, Tencent, and Huawei Cloud. Cado Security noted in a research today, confirming Trend Micro and Qihoo 360 Netlab results.
“My theory is that the newer CSPs such as Huawei Cloud, Tencent, and Baidu are not as mature as something like AWS, which includes automatic alerting when a cloud instance is deployed in an insecure fashion,” Matt Muir of Cado Security told The Record in an email this week.
“Alibaba Cloud certainly has been around longer so its security services are more mature, but it is noteworthy that after Trend Micro [initially] saw malware targeting Huawei Cloud, the new samples we analyzed are targeting additional Chinese cloud providers,” Muir added.
The attacks of Abcbot attempt to control Linux servers managed by such organizations that have weak passwords or are operating unpatched programs.
When an initial entry point is discovered, Abcbot installs a Linux bash script that deactivates SELinux security safeguards, establishes a backdoor for the attacker, and then checks affected hosts for evidence of many other malware botnets.
If rival malware is discovered, Abcbot terminates activities found to be correlated with some other botnets as well as procedures associated with crypto-mining operations. It then goes a step not seen in other botnets by deleting SSH keys and only keeping its own in place to ensure that only its own may join.
According to Muir, this conduct shows that some other parties are employing a similar strategy, wherein the Abcbot programmers have also detected and opted to prohibit.
According to Muir, Cado researchers analyzed Abcbot variants that solely featured capability to corral compromised systems as part of Abcbot's botnet.
Earlier Trend Micro versions, on the other hand, had crypto-currency mining modules, and Netlab samples contained DDoS attack elements. Considering the measures Abcbot took to terminate crypto-mining processes it did not create, it is possible that its ultimate goal is to produce bitcoin income for the attackers. Cado and other investigators are still unaware of the magnitude of the Abcbot botnet.
“Given that the malware targets specific CSPs, this suggests that propagation is fairly limited,” Muir said.
“The method of propagation (via enumeration of known_hosts) could mean that it has spread beyond the boundaries of the CSPs it was originally meant to target,” the Cado Security researcher added.