Hackers are enslaving Linux servers running unpatched Webmin installations into a new botnet, dubbed Roboto by security researchers at 360 Netlab who have observed it for nearly three months.
Roboto botnet activities have been discovered when the research team has spotted a suspicious ELF file (4cd7bcd0960a69500aa80f32762d72bc) in August this year and during its analysis determined that it was a P2P bot program. Several months later the firm’s honeypot captured another suspicious ELF sample (4b98096736e94693e2dc5a1361e1a720), which turned out to be the downloader module of the previous suspicious ELF sample. The downloader’s main purpose is to download the encrypted Roboto bot program from a specific URL. Later the malicious program will decrypt and execute it.
The researchers believe that the Roboto botnet also has a vulnerability scanning module and a P2P control module, but they haven’t managed to retrieve these components so far.
A deeper analysis of captured samples revealed that the Roboto botnet mainly supports 7 functions, such as reverse shell, self-uninstall, system command execution, gathering process' network and bot information, run encrypted files specified in URLs, and the ability to launch DDoS attacks. Roboto’ DDoS module supports four types of DDoS attack methods — ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood, but despite having DDoS functionality, it appears that DDoS attacks are not Roboto’s main purpose as the researchers so far haven’t detected not even a single DDoS attack command.
Roboto expands its bot network by compromising Linux servers running Webmin web-based system administration tool vulnerable to an RCE flaw tracked as SB2019081608 (CVE-2019-15107). The vulnerability affects Webmin versions before and including v1.921 (this issue can be mitigated by updating to Webmin 1.930 or disabling the 'user password change' option). According to Webmin’s GitHub page, it has "over 1,000,000 installations worldwide" and the search results generated by Shodan and BinaryEdge search engines show that there are more than 700,000 reachable Webmin servers, although it needs to be said that not all of them running Linux or a vulnerable version of the software.
Apart from using the P2P communication protocol (which is rarely seen in DDoS botnets), the Roboto botnet “uses Curve25519, Ed25519, TEA, SHA256, HMAC-SHA256 and other algorithms to ensure the integrity and security of its components and P2P network, create the corresponding Linux self-starting script based on the target system, and disguise its own files and processes name to gain persistence control," the researchers found.
Netlab360 recommends Webmin users to take a look whether they are infected by checking the process, file name and UDP network connection, and block the Roboto botnet related IP, URL and domain names. All Indicators of Compromise (IoCs), including malware sample hashes, server addresses, and hardcoded peer IPs are provided in the last part of the Netlab360 report.