Threat Watch

Abcbot Botnet Linked to Operators of Xanthe Cryptomining Malware

The infrastructure behind an emerging Distributed Denial of Service (or DDoS) botnet called Abcbot appears to be related to a cryptocurrency-mining botnet attack from December 2020, according to recently released research.

The Abcbot botnet, which uses a malicious shell script as an initial payload that targets insecure cloud instances, has been discovered to have similar features and code, as well as indicators of compromise (IOCs) such as IP addresses and URLs, to a cryptocurrency mining operation called Xanthe. Xanthe was a cryptomining botnet discovered in December 2020 that exploited misconfigured Docker API installations in order to infect Linux systems. The two malware families are believed to stem from the same threat actor due to a number of similarities in how the code has been written, including the format of routine names and functions that share the same names. Likewise, samples from both malware families have been discovered to have the same blocks of comment codes, perform the same behavior on the infected system, and contain the same exact logging output strings in various functions.

If these two malware families are indeed from the same threat actor, it shows a shift in its objective from mining cryptocurrency on compromised hosts, to activities more closely associated with botnets, such as DDoS attacks.


The initial infection vector for the Abcbot attacks appear to be via cloud systems that are secured with weak passwords (and have services like SSH open to the Internet) or unpatched applications. It is highly recommended to maintain proper patching levels on all applications, particularly ones that are Internet facing. Likewise, it is recommended to prevent SSH from being exposed to the Internet and tightly controlling access to it via the cloud service’s firewall functionality. If SSH being open to the Internet is required, it is recommended to make sure all accounts that have SSH access to the system have very strong passwords so malicious users cannot brute force the system and gain unauthorized access. The malware also performs a number of behavioral tasks once the initial payload has been executed; these tasks include things such as: creating new users and adding them to the /etc/sudoers file, disabling SELinux protections, and scanning for and killing competing malware botnets. These types of activities can create a number of behavioral artifacts in logs that can be used to detect malicious behavior. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.