A new version of the Abcbot bot targets Chinese cloud providers

Researchers spotted a new botnet named Abcbot hat that mainly targeted Chinese cloud hosting providers over the past months.

Security researchers discovered a new botnet, named Abcbot, that focused on Chinese cloud hosting providers over the past months.

The list of targeted providers includes Alibaba Cloud, Baidu, Tencent, and Huawei Cloud.

In November, researchers from Qihoo 360’s Netlab security team spotted the Abcbot botnet that was targeting Linux systems to launch distributed denial-of-service (DDoS) attacks. The security firm analyzed a total of six versions of the botnet since November. An early version of the bot was initially documented in October by Trend Micro researchers.

The name Abcbot used to track the bot comes from the source path “abc-hello.”

Now Cado Security experts found a new version of a malicious shell script targeting insecure cloud instances running under the above Chinese cloud hosting providers.

Upon execution, the shell script calls a number of functions sequentially, the first one named nameservercheck disables SELinux protections and creates a backdoor. The bot also kills competing malware, including crypto mining and cloud-focused malware, on the same systems.

The bot also removes SSH keys and inserts its own to guarantee exclusive access to the infected host.

“Aside from this, the shell script exhibits similar functionality seen in previous versions, with the threat actor removing SSH keys left by similar attacks and inserting their own to guarantee access to the host. The sample also downloads one of the additional ELF binary payloads observed by Trend Micro and saves it as “abchello”.” reads the analysis published by the experts. “However, the code used to download the third payload appears to be commented-out.”

At this time the size of the Abcbot botnet is still unknown.

“Finally, if a SSH known_hosts file and corresponding public key exists in the root user’s .ssh directory, the script iterates through the known hosts, connecting to each one in turn and installing a copy of itself using the data transfer tools mentioned previously.” concludes the analysis. “This allows propagation of the malware in a worm-like fashion and ensures rapid compromise of related hosts.”

The report also includes Indicators of compromise for this threat.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Abcbot botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]