A new series of malicious Roboto Botnet activities has come to light, exploiting RCE's vulnerability to attack its Webmin servers Linux.
The first to discover the Roboto Botnet was Netlab360, which characterized it as an ELF (Executable Linkable Format) file. The first discovery was made in August, and later Honeypot also detected another sample of suspected ELFs, which served as downloader to download that bot.
In the last three months, the researchers security are constantly monitoring Roboto's movements and activities to discover his goals and methods.
It has been discovered that Roboto Botnet uses algorithms such as Curve25519, Ed25519, TEA, SHA256, HMAC-SHA256 to maintain its integrity, protect and gain persistent control over Linux Webmin servers.
According to the researchers: “the botnet has functionality DDoS, but it seems that DDoS attacks are not its main purpose. We haven't detected any DDoS attacks since we discovered it. We still need to know its true purpose. ”
Researchers observed the spread of Roboto via 22.214.171.124 (Webmin Honeypot service) and the sample of the downloader spreading through Webmin RCE vulnerability (CVE-2019-15107).
The http: // 126.96.36.199 / boot URL helps spread it payload.
The main purpose of the Roboto downloader is to download the encrypted Roboto Bot program from a specific address URL. Later the malicious program will decrypt it and execute it.
Roboto Botnet can perform a variety of advanced functions, such as reverse shell, automatic uninstall, network information collection, information collection muzzle, executing system commands, executing encrypted files that specialize in URLs, DDoS attacks, and more.
Roboto enables a DDoS attack to be executed by the following methods:
Netlab360 recommends Webmin users to check if they are infected, checking the process, file name and UDP network connection and blocking all IPs, URLs and domain names related to Botnet.