A new Linux wormable botnet has been observed in the wild. Called Abcbot, the threat is targeting “relatively new cloud service providers (CPSs) with cryptocurrency-mining malware and cryptojacking attacks,” according to Trend Micro’s findings.
The malware deploys code that removes applications and services mainly in Huawei Cloud, such as the so-called hostguard service that detects security issues and protects the system. Security researchers from Network Security Research Lab at 360 also provided technical details about the new Linux malware.
Abcbot Technical Overview
Abcbot was first detected by Tencent researchers in 2020 in a campaign that targeted container environments. The newer samples of the malware contain the same firewall rule creation which was present in last year’s samples. “However, it’s been commented on, so no rule is created. We’ve observed that the newer samples are only targeting cloud environments,” Trend Micro pointed out.
It is noteworthy that Abcbot’s operators are now searching for specific public keys that would help them eliminate their competition from the infected system and update their own keys. This shows that the threat operators want to accomplish a comprehensive sanitization of the targeted operating system. The malware attempts to locate both previous infections and security utilities that could prevent its malicious operation. In addition, it also utilizes “simple but effective commands to clean up after it performs its infection routine.”
Once all unnecessary users are removed from the system, the malware creates several users of its own, a behavior seen only partially in previous samples targeting the cloud. This campaign, however, creates more users with generic names such as “system” and “logger.” The purpose of these names is to trick an inexperienced Linux analyst into believing the users are legitimate. The malicious users are also given administrative powers.
Another interesting finding is that “the hacking team also adds their own ssh-rsa key to enable them to repeatedly log in to the infected system.” Once system modifications are done, special permissions are added to prohibit further modifications on those files. This is done to ensure that the created users can’t be removed or changed.
Abcbot’s operators are also scanning the targeted system for specific vulnerabilities and security loopholes, including:
SSH weak passwords
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (CVE-2020-14882)
Redis unauthorized access or weak passwords
PostgreSQL unauthorized access or weak password
SQLServer weak password
MongoDB unauthorized access or weak password
File transfer protocol (FTP) weak password
The end goal of the operation is dropping cryptocurrency miners, which are considered the most deployed payloads in Linux. Trend Micro researchers reached out to Huawei Media Team with their findings prior to their publication, and are currently awaiting the company’s acknowledgment or reply.
In October 2021, researchers uncovered a new, previously unseen malware family targeting Linux systems. Dubbed FontOnLake by ESET researchers, and HCRootkit by Avast and Lacework, the malware has rootkit capabilities, advanced design and low prevalence, suggesting that it is primarily meant for targeted attacks.