Recent investigations conducted by Qihoo 360’s Netlab security team have unveiled an emergent botnet named “Abcbot.” This entity demonstrates worm-like propagation methods, targeting Linux systems to execute distributed denial-of-service (DDoS) attacks on various victims.
The botnet’s inception can be traced back to July 2021, yet its latest variants, identified as of October 30, exhibit enhanced capabilities. These enhancements emphasize attacking Linux web servers that feature weak password protections and are vulnerable to N-day exploitable flaws. Among its new functionalities is a custom DDoS mechanism signifying ongoing development efforts from its creators.
Notably, Netlab’s analysis complements an earlier report from Trend Micro, which highlighted attacks on Huawei Cloud, utilizing malware designed for cryptocurrency mining and cryptojacking. These threats were particularly sophisticated, employing malicious shell scripts that disabled security processes on the servers and altered user credentials for the Elastic cloud service.
The proliferation of Abcbot is reportedly facilitated through shell scripts, with six distinct versions detected thus far. When deployed on an affected system, the malware executes a series of processes that convert the compromised device into a web server, relaying system data to a command-and-control (C2) server. Additionally, it autonomously scans for open ports to disseminate the malware further, simultaneously updating itself whenever new features are introduced.
Investigations reveal that a version updated on October 21 employed the open-source ATK Rootkit to enable its DDoS functionalities. This method necessitated that Abcbot download, compile, and activate the rootkit module prior to launching attacks. However, the researchers indicated that this multi-step approach could easily result in failures; thus, the adversaries opted for a more efficient custom attack module in the variant released on October 30, completely omitting the ATK rootkit.
This disclosure follows shortly after Netlab’s account of the “Pink” botnet, which has allegedly compromised over 1.6 million devices predominantly in China, with intentions of executing DDoS assaults and injecting advertisements into HTTP traffic unsuspecting users encounter. Concurrently, AT&T Alien Labs introduced a new Golang malware called “BotenaGo,” which is capable of exploiting over thirty vulnerabilities to target millions of routers and internet-connected devices.
According to the researchers, the evolution of Abcbot within the past six months reflects a shift between varying technologies rather than a mere series of feature upgrades. They describe the botnet as transitioning from its initial stages toward a more developed state, suggesting that it remains far from its final configuration and will likely see considerable enhancements in the future.
In this evolving threat landscape, understanding the methodologies of botnets like Abcbot aligns with the tactics outlined in the MITRE ATT&CK framework, including initial access and persistence strategies. As the cybersecurity domain continues to grapple with such threats, organizations must remain vigilant and proactive, employing robust defenses to safeguard their systems against these persistent and adaptive adversaries.
