Researchers have discovered that the Abcbot botnet is connected to cryptocurrency-mining botnet attacks carried out by the Xanthe malware group.
Abcbot’s connection to Xanthe
Security researchers from Cado Security have released a report, highlighting that the same threat group is working behind Xanthe malware and Abcbot botnet.
According to the report, there is an overlap between the two malware when it comes to similar coding styles, an identical pattern of giving names to routines, with some functions with similar names and implementation (e.g., nameservercheck) and a word ‘go’ added to the end of the function names (e.g., filerungo).
Abcbot botnet creates four malicious users of its own by using generic names such as sysall, logger, system. Users with the same usernames were observed in Xanthe samples too.
Experts added that cybercriminals could be doing away with cryptomining attempts and moving toward traditional botnet functionality of pursuing DDoS attacks.
A background on Abcbot
Qihoo 360's Netlab security team first discovered the Abcbot attacks in November 2021. The attacks had used shell scripts targeting insecure cloud instances managed by various cloud service providers.
Since then, the Abcbot version of the function has been updated multiple times, with a new function being added in every phase of the update.
Multiple code and feature-level similarities imply that the same group is operating both Abcbot and Xanthe. Moreover, gradual updates in the botnet’s capabilities are attempts by its creators to mature it further for bigger campaigns.