Researchers have established a “clear” link between the Abcbot botnet and a well-established group of cryptojacking cybercriminals.
First discovered in July 2021 by Netlab 360, the Abcbot botnet began as a simple scanner that used basic credential stuffing attacks and known vulnerability exploits to compromise vulnerable Linux systems.
However, the developers quickly updated their creation to include automatic update mechanisms, exploit kits, worm features, and a total of nine Distributed Denial of Service (DDoS) attack features.
These findings were a starting point for Cado Security, which released a more in-depth analysis of the botnet in December. At this point, the Abcbot botnet was also able to detect and kill Docker image-based cryptocurrency miners and malware already present on a target server, as well as disabling cloud monitors, including components of Aliyun monitoring Alibaba Cloud Assistant and Tencent.
Trend Micro said that once a deep cleanup of the compromised servers has taken place, new malicious user profiles are added with elevated privilege levels and built-in security has been deployed to prevent their modification or deletion. .
While past examples of botnet activity have revealed a cleanup before it deploys its own cryptocurrency mining malware, on Monday a new analysis released by Cado Security suggests the malware could return to lanes. more traditional: namely, a return to DDoS attacks as a focal point.
According to cybersecurity researchers, there is now an established link between the botnet and Xanthe, a cryptojacking campaign documented by Cisco Talos in December 2020.
Talos discovered Xanthe after the group targeted a Docker-based honeypot with a Monero cryptocurrency miner, XMRig. At the time, Xanthe was focused on hijacking the computational resources of vulnerable servers to generate cryptocurrency and would use bash scripts to root out concurrent malware, as well as maintain persistence.
After comparing samples of the Abcbot botnet and Xanthe, Cado Security found similarities in code and functionality.
A VirusTotal chart based on known Indicators of Compromise (IoC), stylistic choices, and unique strings then revealed four overlapping hosts in infrastructure and delivered both Abcbot botnet and Xanthe malware campaigns.
However, the samples also revealed recent changes in functionality, including commented mining components, which suggest that mining may ‘no longer. [be] an objective “from Abbot.
“Based on this analysis, we believe that the same threat actor is responsible for both Xanthe and Abcbot and is shifting their focus from mining cryptocurrency on compromised hosts to more traditionally associated activities. to botnets, such as DDoS attacks, ”the researchers said. “We believe this will not be the last malware campaign that we analyze from this player.”
Prior and related coverage
Do you have any advice? Contact us securely via WhatsApp | Call +447 713 025 499, or on Keybase: charlie0