Posted on Leave a comment

Botnet Abcbot Linked To The Xanthe Cryptomining Malware Operators.

Abcbot attacks, first reported by Qihoo 360’s Netlab security team in November 2021, are triggered by a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud to download malware that co-opts the machine to a botnet, but not before terminating processes from competing threat actors and establishing persistence.

Cado Security has issued an analysis, “Our ongoing investigation into this malware family uncovers a clear relationship to Cisco’s Talos security research team’s Xanthe-based cryptojacking campaign revealed in late 2020.” When Talos researchers were alerted to an attack on one of their Docker honeypots, they identified malware that looked like a cryptocurrency mining bot.”

However, further analysis of the botnet, which included mapping all known Indicators of Compromise (IoCs), such as IP addresses, URLs, and samples, revealed Abcbot’s code and feature-level similarities to that of a cryptocurrency mining operation known as Xanthe, which used incorrectly configured Docker implementations to spread the infection.

Abcbot also contains malware that allows four malicious users to be added to the hacked machine, according to experts:

logger
ssysall
ssystem
sautoupdater

Cado Security’s Matt Muir reported ,”The same threat actor is behind both Xanthe and Abcbot, and its goal is transitioning from mining cryptocurrency on compromised hosts to more classic botnet activities like DDoS attacks.

The semantic similarities between the two malware families range from the way the source code is formatted to the names given to the routines, with some functions having not only identical names and implementations (e.g., “nameservercheck”), but also having the word “go” appended to the end of the function names (e.g., “filerungo”).

“This could mean that the Abcbot version of the function has been iterated on numerous times, with new functionality added at each iteration.

Finally the researchers concluded that ,” code reuse and even like-for-like duplication is routinely detected between malware families and specific instances. It makes sense from a development standpoint; just as valid software code is reused to reduce development time, illegitimate or malicious software code is reused as well.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply