22 December 2021

New version of Abcbot botnet goes after Chinese cloud hosting providers


New version of Abcbot botnet goes after Chinese cloud hosting providers

Security researchers have spotted a new version of the Abcbot botnet malware, which targets Chinese cloud hosting providers, such as Alibaba Cloud, Baidu, Tencent, and Huawei Cloud.

The early version of the bot was discovered and detailed by the cybersecurity firm Trend Micro in October 2021. A month later, in November, researchers from Qihoo 360’s Netlab security team spotted a version of the botnet, which they named “Abcbot” (the name comes from the source path "abc-hello"), targeting Linux systems to launch distributed denial-of-service (DDoS) attacks.

Now, the researchers at Cado Security say they have come across a new version of a malicious shell script targeting insecure cloud instances running under the above mentioned Chinese cloud hosting providers.

Upon execution, the shell script calls a number of functions sequentially, the first one, named “nameservercheck”, disables SELinux protections and ensures network connectivity by inserting IPs for Google’s public DNS servers (8.8.8.8 & 8.8.4.4) into the /etc/resolv.conf file (if they don’t exist).

The shell script also kills rival malware, including cryptominers and cloud-focused malware, and removes SSH keys left by similar attacks and inserts its own to guarantee access to the host.

“Finally, if a SSH known_hosts file and corresponding public key exists in the root user’s .ssh directory, the script iterates through the known hosts, connecting to each one in turn and installing a copy of itself using the data transfer tools mentioned previously. This allows propagation of the malware in a worm-like fashion and ensures rapid compromise of related hosts,” the researchers wrote.

More technical details along with Indicators of Compromise are available in Cado Security’s report.


Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021