Summary
Abcbot Botnet is a new evolving botnet which is found in wild having worm like propagation features and targeting Linux systems to perform Distributed Denial-of-Service (DDoS) attack on target organizations. The malware was first launched on July-2021 but the latest version of the malware is evolving.
Indicators of Compromise:
Hashes
SHA-1 | Description | ESET detection name |
---|---|---|
E69E69FBF438F898729E0D99EF772814F7571728 | MSI downloader for “decoy ZIP” | Win32/TrojanDownloader.Delf.CQR |
4A1C48064167FC4AD5D943A54A34785B3682DA92 | MSI installer | Win32/Spy.Numando.BA |
BB2BBCA6CA318AC0ABBA3CD53D097FA13DB85ED0 | Numando banking trojan | Win32/Spy.Numando.E |
BFDA3EAAB63E23802EA226C6A8A50359FE379E75 | Numando banking trojan | Win32/Spy.Numando.AL |
9A7A192B67895F63F1AFDF5ADF7BA2D195A17D80 | Numando banking trojan | Win32/Spy.Numando.AO |
7789C57DCC3520D714EC7CA03D00FFE92A06001A | DLL with overlay window images | Win32/Spy.Numando.P |
Abused legitimate applications
Example SHA-1 | EXE name | DLL name |
---|---|---|
A852A99E2982DF75842CCFC274EA3F9C54D22859 | nvsmartmaxapp.exe | nvsmartmax.dll |
F804DB94139B2E1D1D6A3CD27A9E78634540F87C | VBoxTray.exe | mpr.dll |
65684B3D962FB3483766F9E4A9C047C0E27F055E | Dumpsender.exe | Oleacc.dll |
C&C servers
- 138.91.168[.]205:733
- 20.195.196[.]231:733
- 20.197.228[.]40:779
Delivery URLs
- https://enjoyds.s3.us-east-2.amazonaws[.]com/H97FJNGD86R.zip
- https://lksluthe.s3.us-east-2.amazonaws[.]com/B876DRFKEED.zip
- https://procjdcals.s3.us-east-2.amazonaws[.]com/HN97YTYDFH.zip
- https://rmber.s3.ap-southeast-2.amazonaws[.]com/B97TDKHJBS.zip
- https://sucessmaker.s3.us-east-2.amazonaws[.]com/JKGHFD9807Y.zip
- https://trbnjust.s3.us-east-2.amazonaws[.]com/B97T908ENLK.zip
- https://webstrage.s3.us-east-2.amazonaws[.]com/G497TG7UDF.zip
Recommendation:
- Keep systems and workstations updated to latest version.
- ENROLL in the DDoS protection service
- Monitor the network traffic all the time for malicious traffic sent by threat actor
References:
Abcbot — A New Evolving Wormable Botnet Malware Targeting Linux (thehackernews.com)