In February, researchers discovered a new botnet called AndoryuBot, which uses the SOCKS protocol and spreads by exploiting a vulnerability in Ruckus access points (APs). AndoryuBot has a DDoS attack module that can launch a variety of DDoS attacks on targeted machines.
Campaign details
AndoryuBot abuses Ruckus vulnerability earmarked (CVE-2023-25717) to gain access to a device and downloads a script for further distribution.
- The botnet targets multiple architectures, including arm, mips, m68k, mpsl, sh4, x86, and spc, and communicates with C2 using SOCKS5 proxies.
- It is saved under the filename Andoryu, which is where the campaign obtained its name.
- The botnet uses the name of a popular Linux-based download utility, curl, as its file extension.
Attack phases
FortiGuard Labs has performed a detailed technical analysis of AndoryuBot’s various attack phases. Here are some of the key highlights:
- Initialization: AndoryuBot first checks the number of parameters passed during its execution. For instance, the sample targeting x86 uses two parameters: Andoryu.10curl and ruckus, and then it decodes data from the .rodata section.
- C2 Communication: After initialization, the botnet sends a GET request to obtain the victim’s public IP address. The HTTP request to api[.]ipify[.]org has a hardcoded user-agent string that indicates relevance with Mozilla, Google Chrome, and Apple WebKit.
- DDoS Attacking: The communication channel is set and the client waits for instructions from the server to perform a DDoS attack. The botnet supports 12 methods or types of attacks, including tcp-raw, tcp-cnc, udp-game, and icmp-echo.
Conclusion
The AndoryuBot botnet spreads rapidly and conceals its communication in genuine network traffic by using the SOCKS protocol to communicate with its C2 server. The first step to securing your system is to apply a vendor patch to fix the exploited flaw. Experts also recommend implementing a good anti-malware solution, a web filtering service, and a robust patch management system in place to fend off such threats. These measures can help prevent the botnet from infecting your system and reduce the risk of DDoS attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/251e_shutterstock_2082676147.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/99c4_shutterstock_2117132213.jpg)
