In early November 2022, Qianxin Threat Intelligence Center detected an incident with malicious samples from unknown families. The captured malicious samples borrowed from the malicious code of the Mirai and Gafgyt families were observed and found to support a variety of self-named DDoS attack methods, which can be spread through the Telnet service. These DDoS attack methods also integrated multiple vulnerabilities similar to the Omni family, Exp, which are currently spreading rapidly on the Internet.

What is important about this is that such a new DDoS attack method is being actively spread in the wild, and it does not have any record in security reporting systems. Because there are only a few samples of malicious code, we believe that its rapid growth has not been limited to one organization or developer. Therefore, this malware family was named “RobinBot” in mid-November.

In the initial attack stage, the command-line service of Gafgyt and Mirai bots are used to download configuration files to a remote host’s hard disk. Then, a new module is added in “config/” directory, which collects all files in “config/bin” folder and saves them as a file named “botnetList.zip”. After this operation, the bot needs to be configured using Telnet as a control server through port 4444 (for example: http://195.130.252.37:4444).

‍

Source: RobinBot – A new type of DDoS botnet in rapid expansion - AlienVault - Open Threat Exchange