A new evolving botnet called “Abcbot” that has been observed in the wild with worm-like propagation features to infect Linux systems and launch DDoS attacks against targets. It equipped with additional updates to strike Linux web servers with weak passwords and are susceptible to N-day vulnerabilities, including a custom implementation of DDoS functionality, indicating that the malware is under continuous development.
The intrusions were also notable for the fact that the malicious shell scripts specifically disabled a process designed to monitor and scan the servers for security issues as well as reset users’ passwords to the Elastic cloud service. These shell scripts are being used to spread Abcbot. A total of six versions of the botnet have been observed to date.
Once installed on a compromised host, the malware triggers the execution of a series of steps that results in the infected device being repurposed as a web server, in addition to reporting the system information to a command-and-control (C2) server, spreading the malware to new devices by scanning for open ports, and self-updating itself as and when new features are made available by its operators.
It uses the open-source ATK Rootkit to implement the DDoS function,” a mechanism requires Abcbot to download the source code, compile, and load the rootkit module before performing DDoS attack. This process requires too many steps, and any step that is faulty will result in the failure of the DDoS function,”
Abcbot is slowly moving from infancy to maturity. We do not consider this stage to be the final form, there are obviously many areas of improvement or features to be developed at this stage.
Indicators of Compromise