Researchers from Qihoo 360’s Netlab security team have published details of a new developing botnet known as “Abcbot” that has been spotted in the wild infecting Linux systems and launching distributed denial-of-service (DDoS) attacks on targets with worm-like spreading properties.

Netlab’s findings follow up on a research released by Trend Micro earlier this month, which detailed cryptocurrency-mining and cryptojacking malware attacks against Huawei Cloud. The attacks were especially remarkable since the malicious shell scripts disabled a procedure that was supposed to monitor and scan the systems.

While the botnet’s first version was discovered in July 2021, new variants discovered as recently as October 30 have been updated to target Linux web servers with weak passwords and are vulnerable to N-day vulnerabilities, including a custom implementation of DDoS functionality, indicating that the malware is still evolving.

  • On July 14, 2021, abcbot was first captured with the main functionality of Scanner, WebServer.
  • July 22, 2021, abcbot updated to include dga-related code in the self-updating function.
  • October 10, 2021, abcbot performed minor update.
  • October 12, 2021, another update, with some major code structure changes.
  • October 21, 2021, another update, adding the open source ATK rootkit to support DDoS functionality.
  • October 30, 2021, another update, abandoned ATK rootkit, to their own implementation of DDoS functionality.

The weak passwords and vulnerabilities used by Abcbot are the following

  • SSH weak password
  • FTP weak password
  • PostgreSQL weak password
  • Redis weak password
  • Mssql weak password
  • Mongo weak password
  • WebLogic Vulnerability (CVE-2020-14882)

According to the Chinese Internet Security  Company , These shell Scripts are being used to distribute Abcbot. A total of six different botnet versions have been discovered.

Once installed on a compromised host, the malware starts a series of events that result in the infected device being redeveloped as a web server as well as reporting system information to a command-and-control (C2) server spreading the malware to new devices by scanning for open ports and self-updating as new features are made available by the malware’s operators.

The researchers noted that “this process requires too many steps and any step that is faulty will result in the failure of the DDoS function,” prompting the adversary to replace the off-the-shelf code with a custom attack module in a subsequent version released on October 30 that completely abandons the ATK rootkit.

The news comes little over a week after the Netlab security team revealed details of the “Pink” botnet, which is said to have infected over 1.6 million machines, mostly in China, with the objective of initiating DDoS attacks and injecting advertising into HTTP websites accessed by unwitting users. In a similar development, AT&T Alien Labs announced the discovery of “BotenaGo,” a new Golang malware that uses over thirty exploits to potentially assault millions of routers and IoT devices.

The researchers concluded that “In these six months, the update process has been more of a trade-off between different technologies than a continual improvement of functionality, Abcbot is progressively maturing from a baby to an adult. We do not consider this stage to be complete; there are clearly numerous areas for improvement or new features to be added at this time.”

      Indicators Of Compromise:

C2 & Resource Server

DGA Domain(October)

DGA Domain(November)

IP China|Hong_Kong|Unknown        AS63916|IPTELECOM_Global



Sample MD5





















–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s