New Abcbot botnet goes after Chinese cloud providers

Security researchers have spotted a new malware botnet that, over the past few months, has specifically targeted the infrastructure of Chinese cloud hosting providers.

Named Abcbot, the botnet has targeted servers hosted by companies like Alibaba Cloud, Baidu, Tencemt, and Huawei Cloud, Cado Security said in a report today, echoing previous findings from Trend Micro and Qihoo 360 Netlab.

"My theory is that the newer CSPs such as Huawei Cloud, Tencent and Baidu are not as mature as something like AWS, which includes automatic alerting when a cloud instance is deployed in an insecure fashion," Matt Muir of Cado Security told The Record in an email this week.

"Alibaba Cloud certainly has been around longer so its security services are more mature, but it is noteworthy that after Trend Micro [initially] saw malware targeting Huawei Cloud, the new samples we analyzed are targeting additional Chinese cloud providers," Muir added.

Abcbot's attacks typically target Linux servers hosted by these companies that are secured with weak passwords or are running unpatched applications.

Once an initial entry point is found, Abcbot deploys a Linux bash script that disables SELinux security protections, creates a backdoor for the attacker, and then scans the infected hosts for signs of other malware botnets.

If competing malware is found, Abcbot kills processes known to be associated with other botnets and processes related to crypto-mining operations.

It then also takes another step not seen with other botnets by removing SSH keys and only leaving its own in place to guarantee that they're the only ones that can connect.

Muir said that this behavior suggests that other groups are using a similar technique, which the Abcbot developers have also picked up on and decided to block.

"Alternatively, it could be that they're removing their own keys from prior campaigns," Muir also told us.

Muir said that Abcbot samples analyzed by Cado researchers only contained functionality to corral infected systems as part of Abcbot's botnet.

However, previous samples analyzed by Trend Micro included modules for crypto-currency mining, and samples analyzed by Netlab included features for DDoS attacks.

Taking into consideration the steps Abcbot took to kill crypto-mining processes it did not spawn itself; it may be that its final purpose is to generate cryptocurrency profits for the attackers after all.

Right now, the size of the Abcbot botnet is still unknown to Cado and other researchers.

"Given that the malware targets specific CSPs, this suggests that propagation is fairly limited," Muir said.

"The method of propagation (via enumeration of known_hosts) could absolutely mean that it has spread beyond the boundaries of the CSPs it was originally meant to target," the Cado Security researcher added.