Abcbot – An Evolution of Xanthe

There are a few infrastructure overlaps. For example, the following rule allowing ingress traffic from 64[.]225[.]46[.]44 in the Xanthe sample also appears in the Abcbot sample.
Whilst it’s common to see cryptojacking malware authors simply copy code from each other, there are a number of other similarities discussed below which make a direct link in ownership between the Xanthe and Abcbot campaigns more likely.

In the original report from Cisco’s Talos security research team, researchers commented on the coding style of the shell scripts being analysed – in particular, functions being declared at the top of the file and then invoked in some of the later lines.
Talos researchers suggested that this likely aids testing of new iterations, with functionality enabled/disabled through commenting of the lines responsible for function invocation.
Both the Abcbot and Xanthe samples we compared follow this coding style.

Linking these two samples based on code style similarities alone would be tenuous, at best. However, if we look at some of the function names themselves, correlation becomes apparent.
Several of the functions have “go” appended to the end of the function name and some functions have identical names. The following names appear in both samples:

nameservercheck
croncheckgo
checkrc
iptableschecker
filerungo

Comparing the above, we can immediately see that the Abcbot version of the nameservercheck function is significantly larger than the Xanthe counterpart.
The Xanthe sample we analyzed is older than the Abcbot sample by over a year (according to VirusTotal submissions).
This could indicate that the Abcbot version of the function has been iterated on several times, with new functionality added at each iteration.

The croncheckgo function in both samples is responsible for achieving persistence via the cron scheduling utility common to most Linux distributions.
Both samples include a TODO comment from the author, regarding adding logic to determine whether cron is running on different Linux distributions – a note to add logic presumably to deal with this.
The service command is then used to start the cron daemon and cron itself, guaranteeing that any modifications made to the crontab would be honoured by the scheduling utility.
The cron entries consist of curl commands with specified user-agent strings.
The purpose of this is covered in Talos’ research but if we look at the strings themselves, we can see that fczyo-cron is used in both samples, with different version numbers appended to each. Incidentally, one of the payloads downloaded by Xanthe is also named “fczyo”.

Reuse of a unique string such as this does seem more than coincidental and suggests that the code running on servers from both the Xanthe and Abcbot campaigns expects this string to be present in the user-agent.

Talos researchers noted that the method of propagation utilized by Xanthe was via enumeration of the known_hosts file, allowing the malware to spread to new hosts based on hosts the current host had previously connected to.

Our research of Abcbot showed examples of code used to add four malicious users to the compromised host, effectively creating four backdoors for the actor to utilize. The malicious usernames in question were:

logger
sysall
system
autoupdater
In the Xanthe sample, users with the same usernames are added to the system (if they do not already exist).
Similarly, both Abcbot and Xanthe search for and remove users that we assumed were from competing campaigns.

As researchers at Talos reported, perhaps one of the defining features of Xanthe was the use of an open source process hiding library named libprocesshider.so. This was used to hide the process created by the XMRig miner by inserting the path to the library into the /etc/ld.so.preload file.

We did not see evidence of this process hiding technique in the Abcbot sample we analyzed. We did, however, see some code that references use of the technique in previous campaigns (such as Xanthe) in the function kill_miner_proc; a function responsible for clearing artifacts of miners from competing or prior campaigns.

Sign Up For Threat Alerts

Loading...
Threats Icon

Jul 04, 2023

Rhysida Ransomware RaaS Crawls Out of Crimeware...

The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...

Threats Icon

Jun 26, 2023

Operation Magalenha – Long-Running Campaign Pursues Portuguese...

The attackers can steal credentials and exfiltrate users' data and personal information, which can be...

Threats Icon

Apr 24, 2023

Lazarus Group Adds Linux Malware to Arsenal...

Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...

Threats Icon

Apr 23, 2023

Additional IOCs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.

Threats Icon

Apr 23, 2023

Ex-Conti and FIN7 Actors Collaborate with New...

IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...

Threats Icon

Apr 20, 2023

AuKill EDR killer malware abuses Process Explorer...

The AuKill tool abuses an outdated version of the driver used by version 16.32 of...

Threats Icon

Apr 20, 2023

Fake Chrome updates spread malware

A campaign running since the end of last year is using hacked sites to push...

Threats Icon

Apr 20, 2023

QBot using new attack vector in its...

QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...

Threats Icon

Apr 20, 2023

CrossLock Ransomware Emerges: New Golang – Based...

The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...

Threats Icon

Apr 20, 2023

Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...

A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

APT36 Expands Interest Within Indian Education Sector

Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...

Threats Icon

Apr 17, 2023

ChinaZ DDoS Bot Malware Distributed To Linux...

The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...

Threats Icon

Apr 16, 2023

Resurgence Of The Mexals Cryptojacking Campaign

The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...