A security research firm has been tracking a botnet that first popped onto its radar back in August that for some reason declines to make use of its DDos capabilities.
The first bit of evidence found on the Roboto botnet was when the 360 Netlab team detected a suspicious ELF file in August and then in October captured what turned out to be the downloader for that file in a honeypot. The downloader pulls the botnet from two hard-coded URLS.
The malware compromises systems by abusing the Webmin RCE vulnerability CVE-2019-15107.
Besides being able to launch a DDoS campaign, Roboto has six additional functions: reverse shell, self-uninstall, gather process' network information, gather Bot information, execute system commands and run encrypted files specified in URLs, 360 Netlabs reported.
“Roboto Botnet has DDoS functionality, but it seems DDoS is not its main goal. We have yet to capture a single DDoS attack command since it showed up on our radar. We still yet to learn its true purpose,” the team said.
What is being constructed is a P2P botnet comprised of Linux servers. One that uses Curve25519, Ed25519, TEA, SHA256, HMAC-SHA256 and other algorithms to ensure the integrity and security of its components and P2P network, create the corresponding Linux self-starting script based on the target system and disguise its own files and processes name to gain persistence control.