Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Abcbot. Show all posts

Malware Abcbot Related to the Xanthe Cryptomining Bug Developer's

 

Abcbot, the newly discovered botnet has a longer history than what was originally believed. The Xanthe-based cryptojacking campaign found by Cisco's Talos security research team in late 2020 has a clear link, according to the ongoing examination of this malware family. When Talos was notified of an intrusion on one of their Docker honeypots, they discovered malware that looked like a bitcoin mining bot. 

The virus is known as Xanthe, and its main goal is to mine cryptocurrency using the resources of a compromised system. Based on the findings, the same threat actor is behind both Xanthe and Abcbot, and its goal has shifted from mining cryptocurrency on compromised hosts to more classic botnet activity like DDoS attacks.

Abcbot attacks, first reported by Qihoo 360's Netlab security team in November 2021, are triggered by a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud to download malware that co-opts the machine to a botnet but not before terminating processes from competing threat actors and establishing persistence. The shell script in question is an updated version of one found by Trend Micro in October 2021, which targeted Huawei Cloud's vulnerable ECS instances. 

Further investigation of the botnet, which included mapping all known Indicators of Compromise (IoCs) such as IP addresses, URLs, and samples, revealed Abcbot's code and feature-level similarities to that of a cryptocurrency mining operation known as Xanthe, which spread the infection using incorrectly configured Docker implementations. 

The semantic similarities between the two malware families range from the way the source code is formatted to the names given to the routines, with some functions having not only identical names and implementations (e.g., "nameservercheck"), but also have the word "go" appended to the end of the function names (e.g., "filerungo"). According to experts, Abcbot also contains spyware that allows four malicious users to be added to the hacked machine: 
  • Logger 
  • Ssysall 
  • Ssystem 
  • sautoupdater 
Researchers believe that there are substantial links between the Xanthe and Abcbot malware families, implying that the same threat actor is involved. The majority of these would be difficult and inefficient to recreate identically, including string reuse, mentions of shared infrastructure, stylistic choices, and functionality that can be seen in both instances. If the same threat actor is behind both campaigns, it signals a shift away from cryptocurrency mining on compromised devices and toward botnet-related operations like DDoS attacks.

Chinese Cloud Hosting Providers Targeted by Abcbot

 

Cybersecurity researchers have discovered a new malware botnet that has been exclusively targeting the architecture of Chinese cloud hosting companies in recent months. The botnet, dubbed Abcbot, has attacked servers hosted by Alibaba Cloud, Baidu, Tencent, and Huawei Cloud. Cado Security noted in a research today, confirming Trend Micro and Qihoo 360 Netlab results. 

“My theory is that the newer CSPs such as Huawei Cloud, Tencent, and Baidu are not as mature as something like AWS, which includes automatic alerting when a cloud instance is deployed in an insecure fashion,” Matt Muir of Cado Security told The Record in an email this week. 

“Alibaba Cloud certainly has been around longer so its security services are more mature, but it is noteworthy that after Trend Micro [initially] saw malware targeting Huawei Cloud, the new samples we analyzed are targeting additional Chinese cloud providers,” Muir added. 

The attacks of Abcbot attempt to control Linux servers managed by such organizations that have weak passwords or are operating unpatched programs. 

When an initial entry point is discovered, Abcbot installs a Linux bash script that deactivates SELinux security safeguards, establishes a backdoor for the attacker, and then checks affected hosts for evidence of many other malware botnets. 

If rival malware is discovered, Abcbot terminates activities found to be correlated with some other botnets as well as procedures associated with crypto-mining operations. It then goes a step not seen in other botnets by deleting SSH keys and only keeping its own in place to ensure that only its own may join. 

According to Muir, this conduct shows that some other parties are employing a similar strategy, wherein the Abcbot programmers have also detected and opted to prohibit. 

According to Muir, Cado researchers analyzed Abcbot variants that solely featured capability to corral compromised systems as part of Abcbot's botnet. 

Earlier Trend Micro versions, on the other hand, had crypto-currency mining modules, and Netlab samples contained DDoS attack elements. Considering the measures Abcbot took to terminate crypto-mining processes it did not create, it is possible that its ultimate goal is to produce bitcoin income for the attackers. Cado and other investigators are still unaware of the magnitude of the Abcbot botnet. 

“Given that the malware targets specific CSPs, this suggests that propagation is fairly limited,” Muir said. 

“The method of propagation (via enumeration of known_hosts) could mean that it has spread beyond the boundaries of the CSPs it was originally meant to target,” the Cado Security researcher added.