A newly emerging botnet named Andoryu has been discovered to exploit a critical security flaw, CVE-2023-25717, in the Ruckus Wireless Admin panel to gain unauthorized access to vulnerable devices.
The flaw, resulting from mishandling of HTTP requests, allows for unauthenticated remote code execution, posing a significant risk to wireless Access Point equipment.
Andoryu was initially documented by Chinese cybersecurity firm QiAnXin in February, highlighting its capability to communicate with command-and-control servers using the SOCKS5 protocol.
While the botnet has already leveraged remote code execution flaws in GitLab and Lilin DVR for propagation, the addition of CVE-2023-25717 demonstrates its ongoing efforts to expand its exploit arsenal and compromise more devices.
Further investigation into the attack chain has revealed that once a device is compromised through the Ruckus flaw, a script from a remote server is dropped onto the infected device to facilitate its proliferation.
The malware establishes communication with a command-and-control server, awaiting instructions to launch DDoS attacks using various protocols such as ICMP, TCP, and UDP. The botnet operator advertises the costs associated with these attacks on a seller’s Telegram channel, offering monthly plans ranging from $90 to $115 based on the desired duration.
In a separate development, the RapperBot DDoS botnet has incorporated cryptojacking capabilities to profit from compromised Intel x64 systems. By dropping a Monero crypto miner, the botnet aims to extract maximum value from infected machines.
RapperBot primarily targets IoT devices with weak or default SSH or Telnet credentials, expanding its botnet’s footprint for launching DDoS attacks. The integration of crypto mining functionality into RapperBot indicates the relentless pursuit of financially motivated threat actors to maximize their gains from compromised systems.
