Articles Abcbot botnet attacks Chinese cloud providers

Abcbot botnet attacks Chinese cloud providers


The Arcbot botnet attacks the infrastructure of Chinese cloud hosting providers, researchers at Cado Security warned . Presumably, the main purpose of malware is cryptocurrency mining.

Abcbot attacks the servers of companies such as Alibaba Cloud, Baidu, Tencemt and Huawei Cloud, experts say, confirming the findings of its colleagues at  Trend Micro  and  Qihoo 360 NetLab .

“I have a theory that younger providers of cloud-based services, such as Huawei Cloud, Tencent and Baidu, is not as developed as the AWS, where there are automatic notifications for when the deployment is carried out in an insecure manner, – he told the publication The Record   Matt Muir of Cado Security. “Alibaba’s cloud has definitely been around longer, so the company’s security services are looking more mature as well. Notably, Trend Micro discovered malware targeting Huawei Cloud, and the new samples we analyzed are already targeting other Chinese cloud providers. ”

Abcbot attacks typically target Linux servers that are protected with weak passwords or that run unsecured applications. Once the entry point is found, Abcbot deploys a Linux bash script that disables SELinux protection, creates a backdoor for malware operators, and then scans infected systems for other malware.

Upon detecting competing malware, Abcbot kills its processes, as well as any other processes that may be associated with cryptocurrency mining. Then Abcbot takes another action, not typical for other botnets: it deletes the SSH keys, leaving only its own to ensure that its operators are the only ones who can connect to the server.

Muir says this behavior suggests that other hack groups are also using a similar technique that Abcbot developers have taken up and decided to thwart competitors. However, it is possible that hackers also simply delete their own keys from previous campaigns.

Interestingly, the Abcbot samples studied by Cado Security could only infect new systems, making them part of a botnet. At the same time, the old samples analyzed by Trend Micro had modules for cryptocurrency mining, and the samples studied by Qihoo 360 NetLab could be used to organize DDoS attacks. However, given that the malware destroys any mining-related processes on infected machines, experts believe that its ultimate goal is still mining cryptocurrency.

Must read

28 dangerous extensions detected for Google Chrome and Microsoft Edge

Avast experts have discovered malware hidden in at least 28 third-party...

Critical Infrastructure Warning! Millions of PLCs, switches, IoT devices are under threat

Eleven vulnerabilities, combined under the name Urgent / 11,...

Why Is It Important To Have Intrusion Detection And Prevention ?

This article describes why detection and prevention of burglaries...

The risk is real: attacks on OT infrastructure

Previously, many believed that attacks on an isolated OT...

Gitpaste-12: Linux bot armed with a dozen exploits

Researchers at Juniper Networks have discovered a Linux scripting...

Saferwall : Open Source Malware Analysis

Saferwall is an open source malware analysis platform. It...

Network Vulnerability Assessment ? Why Should Every Company Do it at least once a Year !

Network vulnerability assessment analyzes a variety of network issues,...

Artificial Intelligence and Cyber Security

As artificial intelligence intrudes into the world of cybersecurity,...

You might also likeRELATED
Recommended to you