The infrastructure behind an emerging Distributed Denial of Service (or DDoS) botnet called Abcbot appears to be related to a cryptocurrency-mining botnet attack from December 2020, according to recently released research.
The Abcbot botnet, which uses a malicious shell script as an initial payload that targets insecure cloud instances, has been discovered to have similar features and code, as well as indicators of compromise (IOCs) such as IP addresses and URLs, to a cryptocurrency mining operation called Xanthe. Xanthe was a cryptomining botnet discovered in December 2020 that exploited misconfigured Docker API installations in order to infect Linux systems. The two malware families are believed to stem from the same threat actor due to a number of similarities in how the code has been written, including the format of routine names and functions that share the same names. Likewise, samples from both malware families have been discovered to have the same blocks of comment codes, perform the same behavior on the infected system, and contain the same exact logging output strings in various functions.
If these two malware families are indeed from the same threat actor, it shows a shift in its objective from mining cryptocurrency on compromised hosts, to activities more closely associated with botnets, such as DDoS attacks.