Researchers at Cado security claim that the Abcbot botnet and Xanthe-based cryptojacking campaign have the same operator.

New research into the infrastructure behind an emerging DDoS botnet named Abcbot has uncovered links with a cryptocurrency-mining botnet attack that came to light in December 2020.

Researchers noted that Xanthe and Abcbot code samples are similar in style, with some Abcbot lines identical to ones seen in Xanthe.

Attacks that Involves Abcbot, First discovered In July 2021 by Netlab 360, the Abcbot botnet began as a simple scanner that used basic credential stuffing attacks and known vulnerability exploits to compromise vulnerable Linux systems. 

Abcbot is triggered via a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud to download malware that co-opts the machine to a botnet, but not before terminating processes from competing threat actors and establishing persistence.

However, the developers quickly updated their creation to include self-update mechanisms, exploit kits, worm functionality, and a total of nine distributed denial-of-service (DDoS) attack functions.

The shell script in question is itself an iteration of an earlier version originally discovered by Trend Micro in October 2021 hitting vulnerable ECS instances inside Huawei Cloud.

While past examples of the botnet’s activity revealed a clean-up before it deployed its cryptocurrency mining malware, on Monday, a new analysis published by Cado Security suggests the malware may be shifting back to more traditional routes: namely, a return to DDoS attacks as a focus. 

The semantic overlaps between the two malware families range from how the source code is formatted to the names given to the routines, with some functions not only sporting identical names and implementation (e.g., “nameservercheck”) but also have the word “go” appended to the end of the function names (e.g., “filerungo”).

A VirusTotal graph based on known Indicators of Compromise (IoCs), stylistic choices, and unique strings then revealed four hosts that overlapped in infrastructure and delivered both Abcbot botnet and Xanthe malware campaigns. 

Furthermore, the deep-dive examination of the malware artifacts revealed the botnet’s capability to create as many as four users of their own by using generic, inconspicuous names like “autoupdater,” “logger,” “sysall,” and “system” to avoid detection, and adding them to the sudoers file to give the rogue users administrative powers over the infected system.

“Based on this analysis, we believe that the same threat actor is responsible for both Xanthe and Abcbot and is shifting its objective from mining cryptocurrency on compromised hosts to activities more traditionally associated with botnets, such as DDoS attacks,” researchers said. “We suspect this won’t be the last malware campaign we analyze from this actor.”