[MART] - Daily Diary #428 - Abcbot Linked To Xanthe Cryptojacking Group

CTAS-MAT ctas-mat at appgate.com
Mon Jan 10 21:27:32 UTC 2022


Hello,

I hope everyone is doing well!

Below is the entry for today.

01/10/2022 - Diary entry #428:

Discovered in July 2021, Abcbot is a malware used for launching distributed denial-of-service (DDoS) attacks. Abcbot is disseminated on insecure cloud instances - with known vulnerabilities - operated by cloud service providers. Once infected, Abcbot is deployed via a malicious shell script and acts as a botnet.

Continued analysis of the botnet revealed that Abcbot's code has similarities to a cryptocurrency mining operation named Xanthe that exploited misconfigured Docker instances to propagate the infection in December 2020. Both threats have several similarities such as the same code formatting, routine names and implementation, and the word "go" appended to the end of the function names.

This is an indicator that the same threat actor is responsible for Abcbot and Xanthe and is moving from mining cryptocurrency to botnets activities, such as DDoS attacks, and deploying additional payloads like in a malware-as-a-service model.

Code reuse is very common in malware development as mentioned in our Daily Diary #381 about the Snake InfoStealer staging mechanism being the same as other commercialized threats like AgentTesla and Formbook.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
C: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220110/74533600/attachment.htm>


More information about the MART mailing list