Researchers at Fortinet have identified a new botnet campaign that utilises a Ruckus remote code execution (RCE) vulnerability to install malware and perform distributed denial of service (DDoS) attacks. This botnet is known as AndoryuBot due to the filename ‘Andoryu’ being used for the malware installed in this attack. It was first seen in attacks in February 2023, however it is believed to have started last year, due to the string “Project Andoryu(12/30/2022). What color is your botnet !” being printed during its execution. The current version of this botnet was detected in April 2023, where the Ruckus vulnerability CVE-2023-25717 is exploited. A threat signal report was published by FortiGuard Labs at the end of last month due to a detected spike in the IPS signature for the exploitation of this flaw, which peaked at a trigger count of 1250.  

Ruckus Networks identified and patched the currently exploited vulnerability in February 2023. This RCE vulnerability affects Ruckus Wireless Admin panels of version 10.4 and earlier. A security bulletin released at the time lists all the vulnerable Ruckus products, which totals 58 different Wi-Fi access point device models. Some of these devices have patches available, links to which are included in the security bulletin, however some of the affected devices are end-of-life, so no patch will be made available for these products. Proof of concept (PoC) code is available for the exploit of this flaw, as well as evidence of active exploitation in the wild in these botnet attacks. Administrators should therefore patch or replace all vulnerable systems as soon as possible. 

CVE-2023-25717 causes improper handling of HTTP GET requests, which results in remote code execution. An attacker can craft a malicious, unauthenticated, HTTP request and send it to the vulnerable server, resulting in complete compromise of the affected devices. This exploit can only be performed by an authenticated attacker, however, this attack can be executed remotely. This has resulted in this vulnerability being given a critical severity rating, and a CVSS base score of 9.8. The AndoryuBot botnet attack uses this flaw for initial access to the vulnerable wireless admin panel Wi-Fi access point, where it can then download a malicious script from a hardcoded URL for further propagation. 

The downloaded script uses curl as its file extension, which is the downloading method used to retrieve this script initially. The AndoryuBot version analysed by Fortinet was found to target seven architectures: arm, m68k, mips, mpsl, sh4, spc, and x86. First, the malicious script checks the file parameters, then it decodes the data from the .rodata section using the encryption key 0x2A41605D. This is the stage at which the string “Project Andoryu(12/30/2022). What color is your botnet !” is printed after the execution of the XOR decoding function. This is the final stage of the initialisation of the malware. 

Once the initialisation is complete, an HTTP GET request is sent to api.ipify.org. This contains a hardcoded User-Agent string and is used to extract the public IP address of the target device. A connection is then established with a command and control (C2) server controlled by the attacker. The C2 server connection is established through the SOCKS (Socket Secure) protocol, and communication is propagated using SOCKS5 proxies. This protocol allows for firewalls to be bypassed so that the commands can be executed. Once this communication channel is set up it can then be used to trigger the next stage of the attack. 

A command from the C2 server containing functions for a DDoS attack is then sent to the client device. There are 12 methods included in these functions which have been identified through the decoded data mentioned previously: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo. The DDoS attack command causes the system to begin the attack on a specific IP address using a specific port number. The length of the DDoS attack depends on what level of service has been purchased from the threat actors controlling the botnet. The threat actor has set up a Telegram channel to sell this service, including a tiered pricing list for set numbers of daily attacks.  

The offering of this botnet in as-a-service DDoS attacks allows unsophisticated attackers to perform this attack for a price making it more likely that these attacks will occur frequently. Any users of vulnerable Ruckus devices should therefore prioritise the mitigation of CVE-2023-25717 to avoid falling victim to these attacks. AndoryuBot is promoted through YouTube videos that demonstrate the capabilities of the botnet, and PoC code has been published, so exploitation of these services is likely to continue to increase in occurrences. 

In general botnet malware infections can be mitigated against by ensuring all hardware and software in use is up to date with security patches, and that unsupported end-of-life products are not used. This prevents attackers from being able to exploit vulnerabilities in your systems to gain initial access and install malware for further propagation. Strong administrator credentials and device passwords including the use of MFA can secure your essential and Wi-Fi enabled devices against unauthorised access, and better protect your network. Some settings and capabilities will not always be needed on access points and routers such as remote admin panel access. In these cases, it is better to disable these functions while they are not required to prevent them being abused and exploited.