A New Evolving Wormable Botnet Malware Targeting Linux (17th November 2021)

Ref# AL2021_43 | Date: Nov 17th 2021

Researchers from Qihoo 360″s Netlab security team have released information about the new evolving botnet known as “Abcbot,” which has been observed using worm-like propagation features to infect Linux systems and launch distributed denial-of-service (DDoS) attacks against targets.

Summary

Though the first version of the botnet had been unearthed in July 2021, new variants found on the 30th October are equipped with additional updates to target Linux web servers with weak passwords and N-day vulnerabilities, as well as a custom implementation of DDoS functionality, indicating that the malware is still being developed.

Netlab”s findings build on a report released recently by Trend Micro, which detailed cryptocurrency-mining and cryptojacking malware attacks targeting Huawei Cloud. The invasions were also notable because the malicious shell scripts specifically disabled a process designed to monitor and scan the servers for security flaws, as well as reset users” passwords to the Elastic cloud service.

These shell scripts are now being used to spread Abcbot, according to a Chinese internet security firm. So far, six multiple variations of the botnet have been recognized.

How it works

After being installed on a compromised host, the malware Abcbot confuses the user by copying itself into the /bin/dockerlogger, /usr/bin/dockerlogger and /etc/iptablesupdate files, then starting the dockerlogger and iptablesupdate processes.

The iptablesupdate process is responsible for scanning for new infected devices, reporting the device information to C2, and waiting for the execution of DDoS commands issued by C2.

The dockerlogger process is responsible for turning the infected device into a webserver, reporting the device information to C2, and waiting for the execution of the Update command issued by the update server.

Both processes call the function abc_hello_util_Os_pz and report the same device information the only difference is the naming scheme, this naming scheme is what differentiates which process is reporting the information.

The abc_hello_plugin_StartScan function is then called which is responsible for infecting new devices. Its logic is to generate random IPs, detect whether the ports on the IPs that can be attacked are open, and then attack the services by either going through the corresponding weak password list or using the Nday vulnerabilities.

“What”s intriguing is that the sample updated on October 21 leverages the open- source ATK Rootkit to achieve the DDoS function,” the researchers wrote, adding that “abcbot must download the source code, compile, and load the rootkit module before executing a DDoS attack.”

“This procedure has too many steps, and any bad step will cause the DDoS function to fail,” the researchers noted, forcing the adversary to replace the off- the-shelf code with a new attack module in a later version issued on October 30 that removed the ATK rootkit. Abcbot modified the main function in the ATK source code file share_atk_svr.c, and implemented a UDP server by monitoring SERV_PORT on 127.0.0.1 through the following code:

sockfd = socket(AF_INET, SOCK_DGRAM, 0); bzero(&servaddr, sizeof(servaddr));
servaddr.sin_family = AF_INET;
// servaddr.sin_addr.s_addr = htonl(INADDR_ANY); // 0.0.0.0 servaddr.sin_addr.s_addr = inet_addr(“127.0.0.1”); servaddr.sin_port = htons(SERV_PORT);

The researchers determined that the six-month update procedure is more of a trade-off between different technologies than a constant improvement of functionality. “From birth to adulthood, Abcbot is gradually maturing. We don”t consider this to be the final version; there are numerous areas for improvement or features that need to be included at this point.”

Remediation

At this moment there is no fixed patch to remedy this new malware. However, Linux users should ensure they implement the following security measures below.

Update software regularly / enable automatic updates

  • Disable booting from external devices

  • Close hidden open ports

  • Generate a Secure Shell (SSH) key pair

  • Perform security audits

    The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
    PDF Download: A New Evolving Wormable Botnet Malware Targeting Linux.pdf

    References