A new version of the Abcbot bot targets Chinese cloud providers

Researchers spotted a new botnet named Abcbot hat that mainly targeted Chinese cloud hosting providers over the past months.

Security researchers discovered a new botnet, named Abcbot, that focused on Chinese cloud hosting providers over the past months.

The list of targeted providers includes Alibaba Cloud, Baidu, Tencent, and Huawei Cloud.

In November, researchers from Qihoo 360’s Netlab security team spotted the Abcbot botnet that was targeting Linux systems to launch distributed denial-of-service (DDoS) attacks. The security firm analyzed a total of six versions of the botnet since November. An early version of the bot was initially documented in October by Trend Micro researchers.

The name Abcbot used to track the bot comes from the source path “abc-hello.”

Now Cado Security experts found a new version of a malicious shell script targeting insecure cloud instances running under the above Chinese cloud hosting providers.

Upon execution, the shell script calls a number of functions sequentially, the first one named nameservercheck disables SELinux protections and creates a backdoor. The bot also kills competing malware, including crypto mining and cloud-focused malware, on the same systems.

The bot also removes SSH keys and inserts its own to guarantee exclusive access to the infected host.

“Aside from this, the shell script exhibits similar functionality seen in previous versions, with the threat actor removing SSH keys left by similar attacks and inserting their own to guarantee access to the host. The sample also downloads one of the additional ELF binary payloads observed by Trend Micro and saves it as “abchello”.” reads the analysis published by the experts. “However, the code used to download the third payload appears to be commented-out.”

At this time the size of the Abcbot botnet is still unknown.

“Finally, if a SSH known_hosts file and corresponding public key exists in the root user’s .ssh directory, the script iterates through the known hosts, connecting to each one in turn and installing a copy of itself using the data transfer tools mentioned previously.” concludes the analysis. “This allows propagation of the malware in a worm-like fashion and ensures rapid compromise of related hosts.”

The report also includes Indicators of compromise for this threat.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Abcbot botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.