Posted on Leave a comment

The Advanced Wormable Botnet Malware Found In A While Which Targets Linux Systems.

Researchers from Qihoo 360’s Netlab security team have published details of a new developing botnet known as “Abcbot” that has been spotted in the wild infecting Linux systems and launching distributed denial-of-service (DDoS) attacks on targets with worm-like spreading properties.

Netlab’s findings follow up on a research released by Trend Micro earlier this month, which detailed cryptocurrency-mining and cryptojacking malware attacks against Huawei Cloud. The attacks were especially remarkable since the malicious shell scripts disabled a procedure that was supposed to monitor and scan the systems.

While the botnet’s first version was discovered in July 2021, new variants discovered as recently as October 30 have been updated to target Linux web servers with weak passwords and are vulnerable to N-day vulnerabilities, including a custom implementation of DDoS functionality, indicating that the malware is still evolving.

  • On July 14, 2021, abcbot was first captured with the main functionality of Scanner, WebServer.
  • July 22, 2021, abcbot updated to include dga-related code in the self-updating function.
  • October 10, 2021, abcbot performed minor update.
  • October 12, 2021, another update, with some major code structure changes.
  • October 21, 2021, another update, adding the open source ATK rootkit to support DDoS functionality.
  • October 30, 2021, another update, abandoned ATK rootkit, to their own implementation of DDoS functionality.

The weak passwords and vulnerabilities used by Abcbot are the following

  • SSH weak password
  • FTP weak password
  • PostgreSQL weak password
  • Redis weak password
  • Mssql weak password
  • Mongo weak password
  • WebLogic Vulnerability (CVE-2020-14882)

According to the Chinese Internet Security  Company , These shell Scripts are being used to distribute Abcbot. A total of six different botnet versions have been discovered.

Once installed on a compromised host, the malware starts a series of events that result in the infected device being redeveloped as a web server as well as reporting system information to a command-and-control (C2) server spreading the malware to new devices by scanning for open ports and self-updating as new features are made available by the malware’s operators.

The researchers noted that “this process requires too many steps and any step that is faulty will result in the failure of the DDoS function,” prompting the adversary to replace the off-the-shelf code with a custom attack module in a subsequent version released on October 30 that completely abandons the ATK rootkit.

The news comes little over a week after the Netlab security team revealed details of the “Pink” botnet, which is said to have infected over 1.6 million machines, mostly in China, with the objective of initiating DDoS attacks and injecting advertising into HTTP websites accessed by unwitting users. In a similar development, AT&T Alien Labs announced the discovery of “BotenaGo,” a new Golang malware that uses over thirty exploits to potentially assault millions of routers and IoT devices.

The researchers concluded that “In these six months, the update process has been more of a trade-off between different technologies than a continual improvement of functionality, Abcbot is progressively maturing from a baby to an adult. We do not consider this stage to be complete; there are clearly numerous areas for improvement or new features to be added at this time.”

      Indicators Of Compromise:

C2 & Resource Server

DGA Domain(October)

dgixyyfug.tk

dgixyyfug.com

dgixyyfug.pages.dev

guyfixdyg.tk

guyfixdyg.com

guyfixdyg.pages.dev

gfgiudyyx.tk

gfgiudyyx.com

gfgiudyyx.pages.dev

xgudyfyig.tk

xgudyfyig.com

xgudyfyig.pages.dev

yugxdigfy.tk

yugxdigfy.com

yugxdigfy.pages.dev

gdgiyyfxu.tk

gdgiyyfxu.com

gdgiyyfxu.pages.dev

gdiuyyfgx.tk

gdiuyyfgx.com

gdiuyyfgx.pages.dev

fgiudxyyg.tk

fgiudxyyg.com

fgiudxyyg.pages.dev

ygfydgxui.tk

ygfydgxui.com

ygfydgxui.pages.dev

DGA Domain(November)

enjuyzkpr.tk

enjuyzkpr.com

enjuyzkpr.pages.dev

rpzkjueyn.tk

rpzkjueyn.com

rpzkjueyn.pages.dev

nkrjpezyu.tk

nkrjpezyu.com

nkrjpezyu.pages.dev

unpeykzjr.tk

unpeykzjr.com

unpeykzjr.pages.dev

ypnuejrkz.tk

ypnuejrkz.com

ypnuejrkz.pages.dev

nerjyzkup.tk

nerjyzkup.com

nerjyzkup.pages.dev

nejpzykru.tk

nejpzykru.com

nejpzykru.pages.dev

knjpeuzyr.tk

knjpeuzyr.com

knjpeuzyr.pages.dev

zrkyenupj.tk

zrkyenupj.com

zrkyenupj.pages.dev

IP

103.209.103.16 China|Hong_Kong|Unknown        AS63916|IPTELECOM_Global

Tor

http://vgnaovx6prvmvoeabk5bxfummn3ltdur3h4ilnklvaox4lge2rp4nzqd.onion

Sample MD5

0786c80bfcedb7da9c2d5edbe9ff662f

0f2619811ceaf85baa72f9c8f876a59a

1177c135f15951418219a97b3caad4e1

1a720cc74ecf330b8f13412de4d5646b

39d373434c947742168e07cc9010c992

3f277c7b4c427f9ef02cf8df4dd7be44

5d37a61451e5cfdeca272369ac032076

6e66456ffb457c52950cf05a6aaabe4a

6e66456ffb457c52950cf05a6aaabe4a

89ffd4f612ce604457446ee2a218de67

8f3558b29d594d33e69cea130f054717

a14d0188e2646d236173b230c59037c7

a17ea52318baa4e50e4b6d3a79fbd935

a4c7917787dc28429839c7d588956202

ae8f8cf967ca15a7689f2d1f79fbc5dc

baeb11c659b8e38ea3f01ad075e9df9a

c27d1c81a3c45776e31cfb384787c674

c64fbc7d3586d42583aa3a0dc3ea529f

e535215fad2ef0885e03ba111bd36e24

e95c9bae6e2b44c6f9b98e2dfd769675

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply