Xanthe cryptojacking campaign likely gave way to the Abcbot botnet, signaling a transition towards more hostile activities.
Researchers at Cado security claim that the novel Abcbot botnet and Xanthe-based cryptojacking campaign have the same operator.
Security researchers noted that the Abcbot botnet was showing worm-like propagation with the aim to infect Linux systems and a likely goal of launching future distributed-denial-of-service (DDoS) attacks.
First spotted in July, the malicious script was later named Abcbot based on its source path ‘abc-hello’ string. According to researchers, the botnet started targeting insecure cloud instances, signaling a transformation towards possible use in DDoS attacks.
Further investigation points to the Abcbot having a much longer history than anticipated. According to Matt Muir, a security researcher at Cado Security, code analysis suggests a link between the Abcbot and Xanthe campaign.
Discovered in late 2020 by Cisco’s Talos security research team, the malware enabled cryptocurrency mining bots to flourish in the host system.
“We believe that the same threat actor is responsible for both Xanthe and Abcbot and is shifting its objective from mining cryptocurrency on compromised hosts to activities more traditionally associated with botnets, such as DDoS attacks,” Muir writes.
Researchers noted that Xanthe and Abcbot code samples are similar in style, with some Abcbot lines identical to ones seen in Xanthe.
Even though both campaigns analyzed are shell scripts and can be easily copied, researchers believe that’s not the case.
“We believe that there are several links between both the Xanthe and Abcbot malware families that suggest the same threat actor is responsible,” Muir writes.
The reuse of unique strings, mentions of shared infrastructure, stylistic choices, and functionality can be seen in both samples and is difficult and pointless to copy if not the same person is behind both.
Researchers believe that the new findings further point to the Abcbot botnet transforming towards a fully-fledged botnet capable of large-scale DDoS attacks.
“If the same threat actor is behind both campaigns, it signals a shift away from the objective of mining cryptocurrency on compromised hosts onto activities more traditionally associated with botnets – such as DDoS attacks. We suspect this won’t be the last malware campaign we analyze from this actor,” the author of the report claims.
2021 has witnessed several major DDoS attacks to the table. Recently, a multi-vector attack peaked just under 2 Tbps, making it one of the largest ever recorded.
The distributed-denial-of-service (DDoS) attack against Yandex that was carried out from August to September clocked in at a humongous 22 million requests per second (RPS).
A DDoS caused internet outages in New Zealand when the country’s third-largest internet service provider was hit. The attack cut off around 15% of the country’s broadband customers from the internet at one point.
Recent reports show that 2021 will be yet another record year for the number of DDoS attacks carried out. Threat actors launched approximately 2.9 million DDoS attacks in the first quarter of 2021, a 31% increase from the same time in 2020.
During DDoS attacks, vast numbers of “bots” attack target computers. Hence, many entities attack a target, which explains the “distributed” part. The bots are infected computers spread across multiple locations. There isn’t a single host. You may be hosting a bot right now and not even know it.
When DDoS attackers direct their bots against a specific target, it has some pretty unpleasant effects. Most importantly, a DDoS attack aims to trigger a “denial of service” response for people using the target system. This takes the target network offline.
If you’ve repeatedly struggled to access a retail website, you may well have encountered a denial of service. And it can take hours or days to recover from.
More from CyberNews:
Subscribe to our newsletter