Researchers have forged a “clear” link between the Abcbot botnet and a well-established cryptojacking cybercriminal group.
First discovered In July 2021 by Netlab 360, the Abcbot botnet began as a simple scanner that used basic credential stuffing attacks and known vulnerability exploits to compromise vulnerable Linux systems.
However, the developers quickly updated their creation to include self-update mechanisms, exploit kits, worm functionality, and a total of nine distributed denial-of-service (DDoS) attack functions.
These findings were a starting point for Cado Security, which published a further analysis of the botnet in December. By this stage, Abcbot botnet was also able to detect and kill Docker image-based cryptocurrency miners and malware already present on a target server, as well as disable cloud monitors including Aliyun Alibaba Cloud Assistant and Tencent monitoring components.
Trend Micro said that once a deep clean of compromised servers has taken place, new, malicious user profiles are added with high levels of privilege, and failsafes were deployed to stop them from being modified or removed.
While past examples of the botnet’s activity revealed a clean-up before it deployed its own cryptocurrency mining malware, on Monday, a new analysis published by Cado Security suggests the malware may be shifting back