Abcbot Botnet

The Abcbot Botnet is a new botnet threat that is being developed actively. It follows the recent trend among cybercriminals of diversifying the programming languages used for their threatening creations and is written in Golang (Go). Go has become the preferred choice in cybercriminals circles, as it offers cross-platform capabilities while making the threats more difficult for detection and reverse engineering. Currently, the threat is capable of worm-like propagation, self-updating, establishing a Webserver and carrying out DDoS attacks. 

Abcbot's Evolution

One of the earliest samples of Abcbot was detected by researchers back in July 2021. At the time, the threat was relatively simple acting more as a scanner for attacking Linux devices that had weak passwords or could be infected via known vulnerabilities. In essence, Abcbot used work-like behavior to propagate itself. However, it contained a string named 'dga.go' that could hint at the future intentions of the hackers.

Not long after, Abcbot was indeed equipped with a domain generation algorithm (DGA) functionality as part of a self-updating feature. The next meaningful update saw the addition of an open-source ATK rootkit. The intention of the hackers was to boost the threat's DDoS capabilities. They quickly gave up on using this particular method, removed the ATK rootkit, and instead went with their own implementation of a DDoS functionality.  As a result, the latest Abcbot versions support nine different DDoS attack methods including TLS, TCP, UDP, ACE, HTTP GET and more. 

Further Development

While Abcbot is clearly leaving the very early stages of its development and moving towards maturity, it is apparent that the threat is still being iterated upon actively However, the development process is not a smooth path towards becoming a more sophisticated threat with complex features. Instead, the cybercriminals appear to be trying out different techniques and seeing which ones suit their goals the best. As a result, the current Abcbot versions include a lot of inconsistencies, such as reporting device information multiple times, lacking fully implemented Web server functionality, not registering the DGA domain names, etc.