Abcbot and Xanthe botnets have the same origin, experts discovered

Experts linked the C2 infrastructure behind an the Abcbot botnet to a cryptocurrency-mining botnet attack that was uncovered in December 2020.

Experts linked the infrastructure used by the Abcbot DDoS botnet to the operations of a cryptocurrency-mining botnet that was uncovered in December 2020.

In November Researchers from Qihoo 360’s Netlab security team have spotted a new botnet, tracked as Abcbot, that targets Linux systems to launch distributed denial-of-service (DDoS) attacks.

In December, Cado Security experts found a new version of a malicious shell script targeting insecure cloud instances running under the above Chinese cloud hosting providers.

The list of targeted providers includes Alibaba Cloud, Baidu, Tencent, and Huawei Cloud.

The security firm analyzed a total of six versions of the botnet since November. An early version of the bot was initially documented in October by Trend Micro researchers.

The name Abcbot used to track the bot comes from the source path “abc-hello.”

Cado Security researchers continue to analyze the botnet attempting to link its Indicators of Compromise (IoCs) to past malicious campaigns. The investigation revealed a clear link to a cryptocurrency mining botnet dubbed Xanthe that propagates by exploiting incorrectly-configured Docker implementations.

The Xanthe botnet was first analyzed by researchers from Cisco Talos in December 2020.

“Our continued analysis on this malware family reveals a clear link with the Xanthe-based cryptojacking campaign discovered by Cisco’s Talos security research team in late 2020. Researchers at Talos discovered malware resembling a cryptocurrency mining bot when they were alerted to an intrusion on one of their Docker honeypots.” reads the analysis published by Cado Security.

Experts believe that there is the same threat actor behind both Xanthe and Abcbot and it is shifting its objective from mining cryptocurrency on compromised hosts to DDoS attacks.

Experts observed semantic overlaps between the two bots, which include the format of the source code, naming convention for the routines, the presence of the word “go” appended to the end of the function names (e.g., “filerungo”).

Experts also noticed that Abcbot includes code used to add four malicious users to the compromised machine:

• logger
• sysall
• system
• autoupdater

“Code reuse and even like-for-like copying is often seen between malware families and specific samples on any platform. It makes sense from a development perspective; just as code for legitimate software is reused to save development time, the same occurs with illegitimate or malicious software.” concludes the report. “As we’ve shown in this report, we believe that there are several links between both the Xanthe and Abcbot malware families that suggest the same threat actor is responsible. These include reuse of unique strings, mentions of shared infrastructure, stylistic choices and functionality that can be seen in both samples – most of which would be difficult and/or pointless to copy exactly.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]