A new malware named “RustoBot” has been discovered exploiting vulnerabilities in various router models to gain unauthorized access and initiate Distributed Denial of Service (DDoS) attacks.
This advanced cyber-threat, first observed in January to February 2025, targets TOTOLINK and DrayTek devices, showcasing sophisticated techniques unlike previously known malware.
Exploitation and Spread Strategy
The botnet leverages multiple command injection vulnerabilities, primarily residing in TOTOLINK’s cstecgi.cgi script and DrayTek’s cgi-bin/mainfunction.cgi/apmcfgupload interface.
.png
)
These vulnerabilities allow attackers to run arbitrary system commands remotely.
RustoBot uses several downloader scripts utilizing common commands like wget and tftp to propagate itself across devices with different architectures, including arm5, arm6, arm7, mips, mpsl, and x86.
Upon infection, RustoBot employs encryption to obfuscate its configuration, using the XOR algorithm with complex calculations to retrieve keys for decoding ciphertext.
This approach helps the malware evade detection by standard security systems.
Once decoded, the configuration assists in resolving command and control (C2) server domains and executing DDoS attacks.
The malware’s entry point, identified through reverse engineering, demonstrates a high level of sophistication, using system API offsets to perform its malicious behaviors.
DDoS Capabilities and Command Structure
RustoBot supports a variety of DDoS attack methods, including Raw IP, TCP, and UDP flooding.
It receives attack parameters from the C2 server, initiating attacks based on predefined commands.
For example, the 0x03 command triggers a UDP flood attack, specifying victim IP addresses, port numbers, attack duration, and packet lengths.
This structured command system enables attackers to coordinate significant disruptions with precision.
The malware campaigns were observed in Japan, Taiwan, Vietnam, and Mexico, targeting the technology sector.
The attacks not only compromise the security of the affected devices but also pose a significant risk to the operational integrity of businesses relying on these internet gateways.
To combat this threat, FortiGuard Labs has integrated multiple protective measures into its security solutions, including:
- Antivirus Services: FortiGuard Antivirus detects and blocks RustoBot under signatures like BASH/Mirai.AEH!tr.dldr and ELF/Mirai variations.
- Web Filtering: Blocks the C2 server connections.
- IPS Signatures: Offers protection against vulnerabilities exploited by RustoBot.
According to the Report, Fortinet advises organizations to strengthen endpoint monitoring and authentication, alongside considering training through their Fortinet Certified Fundamentals (FCF) in Cybersecurity.
This comprehensive approach by FortiGuard Labs ensures a robust defense against the emerging threat of RustoBot, urging all stakeholders in the cybersecurity community to remain vigilant and proactive.
Table of Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| URL | hxxp://66[.]63[.]187[.]69/w.sh |
| URL | hxxp://66[.]63[.]187[.]69/wget.sh |
| URL | hxxp://66[.]63[.]187[.]69/tftp.sh |
| Host | dvrhelper[.]anondns[.]net, techsupport[.]anondns[.]net, rustbot[.]anondns[.]net |
| IP | 5[.]255[.]125[.]150 |
| File Hash | 76a487a46cfeb94eb5a6290ceffabb923c35befe71a1a3b7b7d67341a40bc454, 75d031e8faaf3aa0e9cafd5ef0fd7de1a2a80aaa245a9e92bae6433a17f48385, … |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
![Pinterest](https://pinterest.com/pin/create/button/?url=https://gbhackers.com/new-rust-based-botnet-hijacks-routers/&media=https://i0.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTukFYXM0ckPO9G0vjplOgc9cQxUjed8x5Hsrol69phveBlxkxmd3AMi3_KZ5qeiy0b-j8_TTcuTLvN8O4Myl7tnlMp0nT6-XbMrcS9gLMXziU3o5JFnkwZg4zgxaR47PL8P0KYgpaH9CGGVOtAcT2sKUWJOW7hMfrFvOrkkNXN9o4fQhQgWtG1xOjxuo/s16000/Routers.webp?w=1200&resize=1200,0&ssl=1&description=A new malware named "RustoBot" has been discovered exploiting vulnerabilities in various router models to gain unauthorized access.){kind=link}