Named Abcbot, the botnet has targeted servers hosted by companies like Alibaba Cloud, Baidu, Tencent, and Huawei Cloud. The malware disables SELinux security protections, creates a backdoor for the attacker, and then scans the infected hosts for signs of other malware botnets. These attacks typically target Linux servers with weak passwords or are running unpatched applications. Abcbot kills processes associated with other botnets and processes related to cryptomining operations. If competing malware is found, Abcbot removes its own SSH keys and only leaves its own in place.
This behavior suggests that other groups are using a similar technique, which developers have also picked up on and decided to block. Previous samples analyzed by Trend Micro and Netlab included modules for cryptocurrency mining and DDoS attacks.