New analysis into the infrastructure behind an rising DDoS botnet named Abcbot has uncovered hyperlinks with a cryptocurrency-mining botnet assault that got here to gentle in December 2020.
Assaults involving Abcbot, first disclosed by Qihoo 360’s Netlab safety workforce in November 2021, are triggered through a malicious shell script that targets insecure cloud cases operated by cloud service suppliers resembling Huawei, Tencent, Baidu, and Alibaba Cloud to obtain malware that co-opts the machine to a botnet, however not earlier than terminating processes from competing menace actors and establishing persistence.
The shell script in query is itself an iteration of an earlier model initially found by Development Micro in October 2021 hitting susceptible ECS cases inside Huawei Cloud.
However in an fascinating twist, continued evaluation of the botnet by mapping all identified Indicators of Compromise (IoCs), together with IP addresses, URLs, and samples, has revealed Abcbot’s code and feature-level similarities to that of a cryptocurrency mining operation dubbed Xanthe that exploited incorrectly-configured Docker implementations to propagate the an infection.
“The identical menace actor is answerable for each Xanthe and Abcbot and is shifting its goal from mining cryptocurrency on compromised hosts to actions extra historically related to botnets, resembling DDoS assaults,” Cado Safety’s Matt Muir mentioned in a report shared with The Hacker Information.
The semantic overlaps between the 2 malware households vary from how the supply code is formatted to the names given to the routines, with some capabilities not solely sporting equivalent names and implementation (e.g., “nameservercheck”) but additionally having the phrase “go” appended to the top of the operate names (e.g., “filerungo”).
“This might point out that the Abcbot model of the operate has been iterated on a number of occasions, with new performance added at every iteration,” Muir defined.
Moreover, the deep-dive examination of the malware artifacts revealed the botnet’s functionality to create as many as 4 customers of their very own through the use of generic, inconspicuous names like “autoupdater,” “logger,” “sysall,” and “system” to keep away from detection, and including them to the sudoers file to provide the rogue customers administrative powers over the contaminated system.
“Code reuse and even like-for-like copying is commonly seen between malware households and particular samples on any platform,” Muir mentioned. “It is smart from a growth perspective; simply as code for reputable software program is reused to avoid wasting growth time, the identical happens with illegitimate or malicious software program.”