A new wave of Roboto Botnet activities being discovered that attack the Linux Webmin servers by exploiting the RCE vulnerability using vulnerability scanning and P2P control module.
Roboto Botnet initially detected via 360Netlab Unknown Threat Detection System as an ELF( Executable Linkable Format) file in august, later, honeypot detects another suspicious ELF sample which acts as a downloader to drop the above bot.
Researcher’s continuous effort for the past 3 months helps to observe the Botnet Roboto activities, targets, and exploitation methods.
Attackers behind the Roboto botnet employes various algorithm such as Curve25519, Ed25519, TEA, SHA256, HMAC-SHA256 to maintain the integrity, protecting its component and gaining the persistence control on Linux Webmin servers.
Researchers said that “the botnet has DDoS functionality, but it seems DDoS is not its main goal. We have yet to capture a single DDoS attack command since it showed up on our radar. We still yet to learn its true purpose.”
Researchers observed the Roboto propagation via 51.38.200.230 ( Webmin service Honeypot), and the downloader sample spreading via Webmin RCE vulnerability (CVE-2019-15107).
A Download URL( http://190.114.240.194/boot ) helps to drop the following payload.
Roboto Downloader’s main purpose is to download the encrypted Roboto Bot program from a specific URL. Later the malicious program will decrypt and execute it.
Attackers using the XOR encryption algorithm to get the bot file, and also it creates a self-starting script based on the release version of the Linux system.
Roboto botnet can perform a variety of sophisticated functionalities including reverse shell, self-uninstall, gather process’ network information, gather Bot information, execute system commands, run encrypted files specified in URLs, DDoS attack and more.
In order to perform a DDoS attack, Roboto provides four attack methods,
Netlab360 warned Webmin users to take a look at whether they are infected by checking the process, file name, and UDP network connection, and block the Roboto Botnet related IP, URL and domain names.
Sample MD5
Encrypted Roboto Bot MD5
URL
Hard-coded Peer IP
Hello, I liked the story about the such ”Roboto Botnet” I came up to this news because Google warned me about such an ip that came from Ukraine, and went to research, helped me a lot !!
carderbazarnet cvv-shoplv