Security researchers discovered a new botnet, named Abcbot, that focused on Chinese cloud hosting providers Alibaba Cloud, Baidu, Tencent, and Huawei Cloud.
The Abcbot botnet that was targeting Linux systems to launch distributed denial-of-service (DDoS) attacks. The name Abcbot used to track the bot comes from the source path “abc-hello.”
Upon execution, the shell script calls several functions sequentially, the first one named nameservercheck disables SELinux protections and creates a backdoor. The bot also kills competing malware, including crypto mining and cloud-focused malware, on the same systems.
The bot also removes SSH keys and inserts its own to guarantee exclusive access to the infected host.
Aside from this, the shell script exhibits similar functionality seen in previous versions, with the threat actor removing SSH keys left by similar attacks and inserting their own to guarantee access to the host. The sample also downloads one of the additional ELF binary payloads observed by Trend Micro and saves it as “abchello”. However, the code used to download the third payload appears to be commented-out.
The steps Abcbot took to kill crypto-mining processes it did not spawn itself; it may be that its final purpose is to generate cryptocurrency profits for the attackers after all. Right now, the size of the Abcbot botnet is still unknown to researchers.
if a SSH known hosts file and corresponding public key exists in the root users .ssh directory, the script iterates through the known hosts, connecting to each one in turn and installing a copy of itself using the data transfer tools mentioned previously. This allows propagation of the malware in a worm-like fashion and ensures rapid compromise of related hosts.”
Indicators of Compromise