Andoryu Botnet Exploits Critical Ruckus Wireless Flaw for Widespread Attack

A nascent botnet called Andoryu has been found to exploit a now-patched critical security flaw in the Ruckus Wireless Admin panel to break into vulnerable devices.

The flaw, tracked as CVE-2023-25717 (CVSS score: 9.8), stems from improper handling of HTTP requests, leading to unauthenticated remote code execution and a complete compromise of wireless Access Point (AP) equipment.

Andoryu was first documented by Chinese cybersecurity firm QiAnXin earlier this February, detailing its ability to communicate with command-and-control (C2) servers using the SOCKS5 protocol.

While the malware is known to weaponize remote code execution flaws in GitLab (CVE-2021-22205) and Lilin DVR for propagation, the addition of CVE-2023-25717 shows that Andoryu is actively expanding its exploit arsenal to ensnare more devices into the botnet.

“It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies,” Fortinet FortiGuard Labs researcher Cara Lin said, adding the latest campaign commenced in late April 2023.

Further analysis of the attack chain has revealed that once the Ruckus flaw is used to gain access to a device, a script from a remote server is dropped onto the infected device for proliferation.

The malware, for its part, also establishes contact with a C2 server and awaits further instructions to launch a DDoS attack against targets of interest using protocols like ICMP, TCP, and UDP.

The cost associated with mounting such attacks is advertised via a listing on the seller’s Telegram channel, with monthly plans ranging from $90 to $115 depending on the duration.

RapperBot Botnet Adds Crypto Mining to its List of Capabilities

The alert follows the discovery of new versions of the RapperBot DDoS botnet that incorporate cryptojacking functionality to profit off compromised Intel x64 systems by dropping a Monero crypto miner.

RapperBot campaigns have primarily focused on brute-forcing IoT devices with weak or default SSH or Telnet credentials to expand the botnet’s footprint for launching DDoS attacks.

Fortinet said it detected the latest iteration of the RapperBot miner activity in January 2023, with the attacks delivering a Bash shell script that, in turn, is capable of downloading and executing separate XMRig crypto miners and RapperBot binaries.

Subsequent updates to the malware have merged the two disparate functions into a single bot client with mining capabilities, while also taking steps to terminate competing miner processes.

Interestingly, none of the new RapperBot samples with the integrated XMRig miner incorporate self-propagation capabilities, raising the possibility of an alternate distribution mechanism.

“This suggests the possible availability of an external loader operated by the threat actor that abuses the credentials collected by other RapperBot samples with brute forcing capabilities and infects only x64 machines with the combined bot/miner,” Fortinet theorized.

RapperBot’s expansion to cryptojacking is yet another indication that financially motivated threat operators leave no stone unturned to “extract the maximum value from machines infected by their botnets.”

The twin developments also come as the U.S. Justice Department announced the seizure of 13 internet domains associated with DDoS-for-hire services.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.