BotNet 2024 2023 2022 2021 2020
Authorities Shut Down Russian RSOCKS Botnet That Hacked Millions of Devices
18.6.22 BotNet Thehackernews
The U.S. Department of Justice (DoJ) on Thursday disclosed that it took down the infrastructure associated with a Russian botnet known as RSOCKS in collaboration with law enforcement partners in Germany, the Netherlands, and the U.K.
The botnet, operated by a sophisticated cybercrime organization, is believed to have ensnared millions of internet-connected devices, including Internet of Things (IoT) devices, Android phones, and computers for use as a proxy service.
Botnets, a constantly evolving threat, are networks of hijacked computer devices that are under the control of a single attacking party and are used to facilitate a variety of large-scale cyber intrusions such as distributed denial-of-service (DDoS) attacks, email spam, and cryptojacking.
"The RSOCKS botnet offered its clients access to IP addresses assigned to devices that had been hacked," the DoJ said in a press release. "The owners of these devices did not give the RSOCKS operator(s) authority to access their devices in order to use their IP addresses and route internet traffic."
Besides home businesses and individuals, several large public and private entities, including a university, a hotel, a television studio, and an electronics manufacturer, have been victimized by the botnet to date, the prosecutors said.
Customers wanting to avail proxies from RSOCKS could rent access via a web-based storefront for different time periods at various price points ranging from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.
Once purchased, criminal actors could then redirect malicious internet traffic through the IP addresses associated with the compromised victim devices to conceal their true intent, which was to carry out credential stuffing attacks, access compromised social media accounts, and send out phishing messages.
The action is the culmination of an undercover operation mounted by the Federal Bureau of Investigation (FBI) in early 2017, when it made covert purchases from RSOCKS to map out its infrastructure and its victims, allowing it to determine roughly 325,000 infected devices.
"Through analysis of the victim devices, investigators determined that the RSOCKS botnet compromised the victim device by conducting brute force attacks," the DoJ said. "The RSOCKS backend servers maintained a persistent connection to the compromised device."
The disruption of RSOCKS arrives less than two weeks after it seized an illicit online marketplace known as SSNDOB for trafficking personal information such as names, dates of birth, credit card numbers, and Social Security numbers of about 24 million individuals in the U.S.
Panchan: A New Golang-based Peer-To-Peer Botnet Targeting Linux Servers
15.6.22 BotNet Thehackernews
A new Golang-based peer-to-peer (P2P) botnet has been spotted actively targeting Linux servers in the education sector since its emergence in March 2022.
Dubbed Panchan by Akamai Security Research, the malware "utilizes its built-in concurrency features to maximize spreadability and execute malware modules" and "harvests SSH keys to perform lateral movement."
The feature-packed botnet, which relies on a basic list of default SSH passwords to carry out a dictionary attack and expand its reach, primarily functions as a cryptojacker designed to hijack a computer's resources to mine cryptocurrencies.
The cybersecurity and cloud service company noted it first spotted Panchan's activity on March 19, 2022, and attributed the malware to a likely Japanese threat actor based on the language used in the administrative panel baked into the binary to edit the mining configuration.
Panchan is known to deploy and execute two miners, XMRig and nbhash, on the host during runtime, the novelty being that the miners aren't extracted to the disk to avoid leaving a forensic trail.
"To avoid detection and reduce traceability, the malware drops its cryptominers as memory-mapped files, without any disk presence," the researchers said. "It also kills the cryptominer processes if it detects any process monitoring."
Of the 209 infected peers detected so far, 40 are said to be currently active. Most of the compromised machines are located in Asia (64), followed by Europe (52), North America (45), South America (11), Africa (1), and Oceania (1).
An interesting clue as to the malware's origins is the result of an OPSEC failure on the part of the threat actor, revealing the link to a Discord server that's displayed in the "godmode" admin panel.
"The main chat was empty except a greeting of another member that occurred in March," the researchers said. "It could be that other chats are only available to higher privileged members of the server."
New XLoader Botnet Version Using Probability Theory to Hide its C&C Servers
3.6.22 BotNet Thehackernews
An enhanced version of the XLoader malware has been spotted adopting a probability-based approach to camouflage its command-and-control (C&C) infrastructure, according to the latest research.
"Now it is significantly harder to separate the wheat from the chaff and discover the real C&C servers among thousands of legitimate domains used by Xloader as a smokescreen," Israeli cybersecurity company Check Point said.
First spotted in the wild in October 2020, XLoader is a successor to Formbook and a cross-platform information stealer that's capable of plundering credentials from web browsers, capturing keystrokes and screenshots, and executing arbitrary commands and payloads.
More recently, the ongoing geopolitical conflict between Russia and Ukraine has proved to be a lucrative fodder for distributing XLoader by means of phishing emails aimed at high-ranking government officials in Ukraine.
The latest findings from Check Point build on a previous report from Zscaler in January 2022, which revealed the inner workings of the malware's C&C (or C2) network encryption and communication protocol, noting its use of decoy servers to conceal the legitimate server and evade malware analysis systems.
"The C2 communications occur with the decoy domains and the real C2 server, including sending stolen data from the victim," the researchers explained. "Thus, there is a possibility that a backup C2 can be hidden in the decoy C2 domains and be used as a fallback communication channel in the event that the primary C2 domain is taken down."
The stealthiness comes from the fact the domain name for the real C&C server is hidden alongside a configuration containing 64 decoy domains, from which 16 domains are randomly picked, followed by replacing two of those 16 with the fake C&C address and the authentic address.
What's changed in the newer versions of XLoader is that after the selection of 16 decoy domains from the configuration, the first eight domains are overwritten with new random values before each communication cycle while taking steps to skip the real domain.
Additionally, XLoader 2.5 replaces three of the domains in the created list with two decoy server addresses and the real C&C server domain. The ultimate goal is to prevent the detection of the real C&C server, based on the delays between accesses to the domains.
The fact that the malware authors have resorted to principles of probability theory to access the legitimate server once again demonstrates how threat actors constantly fine-tune their tactics to further their nefarious goals.
"These modifications achieve two goals at once: each node in the botnet maintains a steady knockback rate while fooling automated scripts and preventing the discovery of the real C&C servers," Check Point researchers said.
New Sysrv Botnet Variant Hijacking Windows and Linux with Crypto Miners
17.5.22 BotNet Thehackernews
Microsoft is warning of a new variant of the srv botnet that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems.
The tech giant, which has called the new version Sysrv-K, is said to weaponize an array of exploits to gain control of web servers. The cryptojacking botnet first emerged in December 2020.
"Sysrv-K scans the internet to find web servers with various vulnerabilities to install itself," the company said in a series of tweets. "The vulnerabilities range from path traversal and remote file disclosure to arbitrary file download and remote code execution vulnerabilities."
This also includes CVE-2022-22947 (CVSS score: 10.0), a code injection vulnerability in Spring Cloud Gateway that could be exploited to allow arbitrary remote execution on a remote host via a maliciously crafted request.
It's worth noting that the abuse of CVE-2022-22947 has prompted the U.S. Cybersecurity and Infrastructure Security Agency to add the flaw to its Known Exploited Vulnerabilities Catalog.
A key differentiator is that Sysrv-K scans for WordPress configuration files and their backups to fetch database credentials, which are then used to hijack web servers. It's also said to have upgraded its command-and-control communication functions to make use of a Telegram Bot.
Once infected, lateral movement is facilitated through SSH keys available on the victim machine to deploy copies of the malware to other systems and grow the botnet's size, effectively putting the entire network at risk.
"The Sysrv malware takes advantage of known vulnerabilities to spread their Cryptojacking malware," Lacework Labs researchers noted last year. "Ensuring public facing applications are kept up to date with the latest security patches is critical to avoid opportunistic adversaries from compromising systems."
Besides securing internet-exposed servers, Microsoft is additionally advising organizations to apply security updates in a timely fashion and build credential hygiene to reduce risk.
New EnemyBot DDoS Botnet Borrows Exploit Code from Mirai and Gafgyt
15.4.22 BotNet Thehackernews
A threat group that pursues crypto mining and distributed denial-of-service (DDoS) attacks has been linked to a new botnet called Enemybot, which has been discovered enslaving routers and Internet of Things (IoT) devices since last month.
"This botnet is mainly derived from Gafgyt's source code but has been observed to borrow several modules from Mirai's original source code," Fortinet FortiGuard Labs said in a report this week.
The botnet has been attributed to an actor named Keksec (aka Kek Security, Necro, and FreakOut), which has been linked to multiple botnets such as Simps, Ryuk (not to be confused with the ransomware of the same name), and Samael, and has a history of targeting cloud infrastructure to carry out crypto mining and DDoS operations.
Primarily targeting routers from Seowon Intech, D-Link, and iRZ to propagate its infections and grow in volume, an analysis of the malware specimen has highlighted Enemybot's obfuscation attempts to hinder analysis and connect to a remote server that's hosted in the Tor anonymity network to fetch attack commands.
Enemybot, like the other botnet malware, is the result of combining and modifying the source code of Mirai and Gafgyt, with the latest version using the former's scanner and bot killer modules that are used to scan and terminate competitor processes running on the same devices.
Some of the n-day vulnerabilities used by the botnet to infect more devices are as follows -
CVE-2020-17456 (CVSS score: 9.8) - A remote code execution flaw in Seowon Intech SLC-130 And SLR-120S devices.
CVE-2018-10823 (CVSS score: 8.8) - An arbitrary code execution vulnerability in D-Link routers
CVE-2022-27226 (CVSS score: 8.8) - A cross-site request forgery issue affecting iRZ Mobile Routers leading to remote code execution
Fortinet also pointed out its overlaps with Gafgyt_tor, suggesting that "Enemybot is likely an updated and 'rebranded' variant of Gafgyt_tor."
The disclosure comes as researchers from Qihoo 360's Network Security Research Lab (360 Netlab) detailed a rapidly spreading DDoS botnet called Fodcha that has ensnared more than 10,000 daily active bots, cumulatively infecting over 62,000 unique bots from March 29 to April 10, 2022.
Fodcha has been observed spreading through known vulnerabilities in Android, GitLab (CVE-2021-22205), Realtek Jungle SDK (CVE-2021-35394), digital video recorders from MVPower, LILIN, and routers from TOTOLINK and ZHONE.
Microsoft Disrupts ZLoader Cybercrime Botnet in Global Operation
15.4.22 BotNet Thehackernews
Microsoft and a consortium of cybersecurity companies took legal and technical steps to disrupt the ZLoader botnet, seizing control of 65 domains that were used to control and communicate with the infected hosts.
"ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money," Amy Hogan-Burney, general manager of Microsoft's Digital Crimes Unit (DCU), said.
The operation, Microsoft said, was undertaken in collaboration with ESET, Lumen's Black Lotus Labs, Palo Alto Networks Unit 42, Avast, Financial Services Information Sharing and Analysis Center (FS-ISAC), and Health Information Sharing and Analysis Center (H-ISAC).
As a result of the disruption, the domains are now redirected to a sinkhole, effectively preventing the botnet's criminal operators from contacting the compromised devices. Another 319 backup domains that were generated via an embedded domain generation algorithm (DGA) have also been confiscated as part of the same operation.
ZLoader, like its notorious counterpart TrickBot, started off as a derivative of the Zeus banking trojan in November 2019 before undergoing active refinements and upgrades that have enabled other threat actors to purchase the malware from underground forums and repurpose it to suit their goals.
"ZLoader has remained relevant as attackers' tool of choice by including defense evasion capabilities, like disabling security and antivirus tools, and selling access-as-a-service to other affiliate groups, such as ransomware operators," Microsoft said.
"Its capabilities include capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers."
ZLoader's transition from a basic financial trojan to a sophisticated malware-as-a-service (MaaS) solution has also made it possible for the operators to monetize the compromises by selling the access to other affiliate actors, who then misuse it to deploy additional payloads like Cobalt Strike and ransomware.
Campaigns involving ZLoader have abused phishing emails, remote management software, and rogue Google Ads to gain initial access to the target machines, while simultaneously using several complex tactics for defense evasion, including injecting malicious code into legitimate processes.
Interestingly, an analysis of the malware's malicious activities since February 2020 has revealed that most of the operations originated from just two affiliates since October 2020: "dh8f3@3hdf#hsf23" and "03d5ae30a0bd934a23b6a7f0756aa504."
While the former used "ZLoader's ability to deploy arbitrary payloads to distribute malicious payloads to its bots," the other affiliate, active to date, appears to have focussed on siphoning credentials from banking, cryptocurrency platforms, and e-commerce sites, Slovak cybersecurity firm ESET said.
To top it all, Microsoft also unmasked Denis Malikov, who lives in the city of Simferopol on the Crimean Peninsula, as one of the actors behind the development of a module used by the botnet to distribute ransomware strains, stating that it chose to name the perpetrator to "make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes."
The takedown effort is reminiscent of a global operation to disrupt the notorious TrickBot botnet in October 2020. Although the botnet managed to bounce back last year, it has since been retired by the malware authors in favor of other stealthy variants such as BazarBackdoor.
"Like many modern malware variants, getting ZLoader onto a device is oftentimes just the first step in what ends up being a larger attack," Microsoft said. "The trojan further exemplifies the trend of common malware increasingly harboring more dangerous threats."
A Bad Luck BlackCat
10.4.22 BotNet Securelist
In early December 2021, a new ransomware actor started advertising its services on a Russian underground forum. They presented themselves as ALPHV, a new generation Ransomware-as-a-Service (RaaS) group. Shortly afterwards, they dialed up their activity, infecting numerous corporate victims around the world. The group is also known as BlackCat.
One of the biggest differences from other ransomware actors is that BlackCat malware is written in Rust, which is unusual for malware developers. Their infrastructure websites are also developed differently from other ransomware groups. Due to Rust’s advanced cross-compilation capabilities, both Windows and Linux samples appear in the wild. In other words, BlackCat has introduced incremental advances and a shift in technologies to address the challenges of ransomware development.
The actor portrays itself as a successor to notorious ransomware groups like BlackMatter and REvil. The cybercriminals claim they have addressed all the mistakes and problems in ransomware development and created the perfect product in terms of coding and infrastructure. However, some researchers see the group not only as the successors to the BlackMatter and REvil groups, but as a complete rebranding. Our telemetry suggests that at least some members of the new BlackCat group have links to the BlackMatter group, because they modified and reused a custom exfiltration tool we call Fendr and which has only been observed in BlackMatter activity.
This use of a modified Fendr, also known as ExMatter, represents a new data point connecting BlackCat with past BlackMatter activity. The group attempted to deploy the malware extensively within organizations in December 2021 and January 2022. BlackMatter prioritized collection of sensitive information with Fendr to successfully support their scheme of double coercion. In addition, the modification of this reused tool demonstrates a more sophisticated planning and development regimen for adapting requirements to target environments, characteristic of a maturing criminal enterprise.
Two incidents of special interest
Two recent BlackCat incidents stand out as particularly interesting. One demonstrates the risk presented by shared cloud hosting resources, and the other demonstrates an agile approach to customized malware re-use across BlackMatter and BlackCat activity.
In the first case, it appears the ransomware group penetrated a vulnerable ERP provider in the Middle East hosting multiple sites. The attackers delivered two different executables simultaneously to the same physical server, targeting two different organizations virtually hosted there. The initial access was mistaken by the attackers for two different physical systems and drives to infect and encrypt. The kill chain was triggered prior to the “pre-encryption” activity, but the real point of interest here lies in the shared vulnerabilities and the demonstrable risk of shared assets across cloud resources. At the same time, the group also delivered a Mimikatz batch file along with executables and Nirsoft network password recovery utilities. In a similar incident dating back to 2019, REvil, a predecessor of BlackMatter, appears to have penetrated a cloud service supporting a large number of dental offices in the US. Perhaps this same affiliate has reverted to some old tactics.
The second case involves an oil, gas, mining and construction company in South America. This related incident further connects BlackMatter ransomware activity with BlackCat. Not only did the affiliate behind this ransomware incident attempt to deliver BlackCat ransomware within the target network, but approximately 1 hour 40 minutes before its delivery they installed a modified custom exfiltration utility that we call Fendr. Also known as ExMatter, this utility had previously been used exclusively in BlackMatter ransomware activity.
Here, we can see that the BlackCat group increased the number of file extensions for automatic collection and exfiltration by the tool:
Fendr file extensions (17146b91dfe7f3760107f8bc35f4fd71)
.doc .docx .xls .xlsx .xlsm .pdf
.msg .ppt .pptx .sda .sdm .sdw
.zip .json .config .ts .cs .sqlite
.aspx .pst .rdp .accdb .catpart .catproduct
.catdrawing .3ds .dwt .dxf .csv
These additional file extensions are used in industrial design applications, like CAD drawings and some databases, as well as RDP configuration settings, making the tool more customized towards the industrial environments that we see being targeted by this group. And, if we believe the PE header timestamp, the group compiled this Fendr modification just a few hours before its initial use. One of the organizations targeted with the Fendr exfiltration tool has branches all over the world, resulting in a surprising mix of locations. Not all of the systems received a ransomware executable.
Technical details
MD5 B6B9D449C9416ABF96D21B356A41A28E
SHA1 38fa2979382615bbee32d1f58295447c33ca4316
SHA256 be8c5d07ab6e39db28c40db20a32f47a97b7ec9f26c9003f9101a154a5a98486
Compiler Rust
Filesize 2.94 MB
The analyzed BlackCat ransomware file “<xxx>_alpha_x86_32_windows_encrypt_app.exe” is a 32-bit Windows executable file that was coded in Rust. The resulting Rust compiled binaries use the Rust standard library with a lot of safety checks, memory allocations, string processing, and other operations. They also include various external crates with libraries for required functionality, like Base64, AES encryption, etc. This particular language, and its compilation overhead, makes disassembly analysis more complicated. However, with the proper approach and Rust STD function signatures applied in IDA (or your disassembler of choice, for example Ghidra), it’s possible to understand the full malware capabilities with static analysis. Additional Rust library usage can be obtained from strings in clear form as no obfuscation is whatsoever used by the malware:
External cargo is used in malware
Rust is a cross-compilation language, so a number of BlackCat Linux samples quickly appeared in the wild shortly after their Windows counterparts.
This BlackCat sample is a command line application. After execution, it checks the command line arguments provided:
Command line arguments for malware
BlackCat is an affiliate actor. This means it provides infrastructure, malware samples, ransom negotiations, and probably cash-out. Anyone who already has access to compromised environments can use BlackCat’s samples to infect a target. And a little help with ransomware execution is likely to come in handy.
The command line arguments are pretty self-explanatory. Some are related to VM’s, such as wiping or not wiping VM snapshots or stopping VM on ESXi. Also, it’s possible to select specific file folders to process or execute malware as a child process.
Shortly after execution, the malware gets the “MachineGuid” from the corresponding Windows registry key:
This GUID will be used later in the encryption key generation process.
The malware then gets a unique machine identifier (UUID) using a WMIC query executed as a separate command by creating a new cmd.exe process:
This UUID is used together with the “–access-token” command-line argument to generate a unique ACCESS_KEY for victim identification.
BlackCat ransomware uses Windows named pipes for inter-process communication. For example, data returned by the cmd.exe process will be written into named pipes and later processed by malware:
The names of the pipes are not unique and are hard-coded into malicious samples.
The malware checks which version of the Windows operating system it’s being executed under. That is done using the fairly standard technique of getting this information from the Process Environment Block structure:
The operating system version is required to implement a proper Privilege Escalation technique such as:
Simple process token impersonation
COM elevation moniker UAC Bypass
COM object initialization
The malware uses a previously known technique, used by LockBit ransomware, for example, to exploit an undocumented COM object (3E5FC7F9-9A51-4367-9063-A120244FBEC7). It is vulnerable to the CMSTPLUA UAC bypass.
Using “cmd.exe” malware executes a special command:
fsutil behavior set SymlinkEvaluation R2L:1
1
fsutil behavior set SymlinkEvaluation R2L:1
This command adjusts the behavior of the Windows file system symlinks. It allows the malware to follow shortcuts with remote paths.
Another command executed as part of pre-encryption is:
vssadmin.exe delete shadows /all /quiet
1
vssadmin.exe delete shadows /all /quiet
This is almost standard for any ransomware and deletes all Windows shadow copy backups. Then the malware gets a list of services to be killed, as well as files and folders to be excluded from the encryption process, kills processes and starts encryption using separate working threads:
Embedded process list to kill
This particular sample was observed to be run with “–access-token xxx –no-prop-servers \\xxx –propagated” command line parameters. In addition to the activity detailed above, the malware will attempt to propagate, but will not re-infect the server that it is attempting to run on. It will perform a hard stop on any IIS services hosted on the system with “iisreset.exe /stop”, check the local area network for immediately reachable systems with “arp -a”, and increase the upper limit on the number of concurrent commands that can be outstanding between a client and a server by increasing the MaxMpxCt to the maximum allowed with:
Also, it is notable that the group uses a compressed version of PsExec to spread laterally within an organization, as was observed with the remote execution of this sample.
The malware appends an extension to the encrypted files, but the exact extension varies from sample to sample. The extension can be found hard-coded in the malware’s JSON formatted configuration file.
For encryption, the malware used the standard “BCryptGenRandom” Windows API function to generate encryption keys. AES or CHACHA20 algorithms are used for file encryption. The global public key that is used to encrypt local keys is extracted from the configuration file.
Most of these executables maintain a hard-coded set of username/password combinations that were stolen earlier from the victim organization for use during propagation and privilege escalation. There often appears to be almost half a dozen accounts, and a combination of domain administrative and service level credentials. This means the individual executable is compiled specifically for the target organization, containing sensitive information about the organization.
After the encryption process, the malware drops a ransomware note with details on how to contact the BlackCat ransomware operators.
Conclusion
After the REvil and BlackMatter groups shut down their operations, it was only a matter of time before another ransomware group took over the niche. Knowledge of malware development, a new written-from-scratch sample in an unusual programming language, and experience in maintaining infrastructure is turning the BlackCat group into a major player on the ransomware market.
Here we present a new data point connecting BlackCat with past BlackMatter activity – the reuse of the exfiltration malware Fendr. The group modified the malware for a new set of victims collected from data stores commonly seen in industrial network environments. BlackCat attempted to deploy the malware extensively within at least two organizations in December 2021 and January 2022. In the past, BlackMatter prioritized collection of sensitive information with Fendr to successfully support their double coercion scheme, just as BlackCat is now doing, and it demonstrates a practical but brazen example of malware re-use to execute their multi-layered blackmail. The modification of this reused tool demonstrates a more sophisticated planning and development regimen for adapting requirements to target environments, characteristic of a more effective and experienced criminal program.
DDoS IRC Bot Malware Spreading Through Korean WebHard Platforms
21.1.2022 BotNet Thehackernews
An IRC (Internet Relay Chat) bot strain programmed in GoLang is being used to launch distributed denial-of-service (DDoS) attacks targeting users in Korea.
"The malware is being distributed under the guise of adult games," researchers from AhnLab's Security Emergency-response Center (ASEC) said in a new report published on Wednesday. "Additionally, the DDoS malware was installed via downloader and UDP RAT was used."
The attack works by uploading the malware-laced games to webhards — which refers to a web hard drive or a remote file hosting service — in the form of compressed ZIP archives that, when opened, includes an executable ("Game_Open.exe") that's orchestrated to run a malware payload aside from launching the actual game.
This payload, a GoLang-based downloader, establishes connections with a remote command-and-control (C&C) server to retrieve additional malware, including an IRC bot that can perform DDoS attacks.
"It is also a type of DDoS Bot malware, but it uses IRC protocols to communicate with the C&C server," the researchers detailed. "Unlike UDP Rat that only supported UDP Flooding attacks, it can also support attacks such as Slowloris, Goldeneye, and Hulk DDoS."
GoLang's low development difficulties and its cross-platform support have made the programming language a popular choice for threat actors, the researchers added.
"The malware is being distributed actively via file sharing websites such as Korean webhards," AhnLab said. "As such, caution is advised when approaching executables downloaded from a file-sharing website. It is recommend[ed] for the users to download products from the official websites of developers."
Abcbot Botnet Linked to Operators of Xanthe Cryptomining malware
19.1.2022 BotNet Thehackernews
New research into the infrastructure behind an emerging DDoS botnet named Abcbot has uncovered "clear" links with a cryptocurrency-mining botnet attack that came to light in December 2020.
Attacks involving Abcbot, first disclosed by Qihoo 360's Netlab security team in November 2021, are triggered via a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud to download malware that co-opts the machine to a botnet, but not before terminating processes from competing threat actors and establishing persistence.
The shell script in question is itself an iteration of an earlier version originally discovered by Trend Micro in October 2021 hitting vulnerable ECS instances inside Huawei Cloud.
But in an interesting twist, continued analysis of the botnet by mapping all known Indicators of Compromise (IoCs), including IP addresses, URLs, and samples, has revealed Abcbot's code and feature-level similarities to that of a cryptocurrency mining operation dubbed Xanthe that exploited incorrectly-configured Docker implementations to propagate the infection.
"The same threat actor is responsible for both Xanthe and Abcbot and is shifting its objective from mining cryptocurrency on compromised hosts to activities more traditionally associated with botnets, such as DDoS attacks," Cado Security's Matt Muir said in a report shared with The Hacker News.
The semantic overlaps between the two malware families range from how the source code is formatted to the names given to the routines, with some functions not only sporting identical names and implementation (e.g., "nameservercheck") but also having the word "go" appended to the end of the function names (e.g., "filerungo").
"This could indicate that the Abcbot version of the function has been iterated on several times, with new functionality added at each iteration," Muir explained.
Furthermore, the deep-dive examination of the malware artifacts revealed the botnet's capability to create as many as four users of their own by using generic, inconspicuous names like "autoupdater," "logger," "sysall," and "system" to avoid detection, and adding them to the sudoers file to give the rogue users administrative powers over the infected system.
"Code reuse and even like-for-like copying is often seen between malware families and specific samples on any platform," Muir said. "It makes sense from a development perspective; just as code for legitimate software is reused to save development time, the same occurs with illegitimate