Security researchers have spotted a new version of the Abcbot botnet malware, which targets Chinese cloud hosting providers, such as Alibaba Cloud, Baidu, Tencent, and Huawei Cloud.
The early version of the bot was discovered and detailed by the cybersecurity firm Trend Micro in October 2021. A month later, in November, researchers from Qihoo 360’s Netlab security team spotted a version of the botnet, which they named “Abcbot” (the name comes from the source path "abc-hello"), targeting Linux systems to launch distributed denial-of-service (DDoS) attacks.
Now, the researchers at Cado Security say they have come across a new version of a malicious shell script targeting insecure cloud instances running under the above mentioned Chinese cloud hosting providers.
Upon execution, the shell script calls a number of functions sequentially, the first one, named “nameservercheck”, disables SELinux protections and ensures network connectivity by inserting IPs for Google’s public DNS servers (184.108.40.206 & 220.127.116.11) into the /etc/resolv.conf file (if they don’t exist).
The shell script also kills rival malware, including cryptominers and cloud-focused malware, and removes SSH keys left by similar attacks and inserts its own to guarantee access to the host.
“Finally, if a SSH known_hosts file and corresponding public key exists in the root user’s .ssh directory, the script iterates through the known hosts, connecting to each one in turn and installing a copy of itself using the data transfer tools mentioned previously. This allows propagation of the malware in a worm-like fashion and ensures rapid compromise of related hosts,” the researchers wrote.
More technical details along with Indicators of Compromise are available in Cado Security’s report.