A new malware named “RustoBot” has been discovered exploiting vulnerabilities in various router models to gain unauthorized access and initiate Distributed Denial of Service (DDoS) attacks.
This advanced cyber-threat, first observed in January to February 2025, targets TOTOLINK and DrayTek devices, showcasing sophisticated techniques unlike previously known malware.
The botnet leverages multiple command injection vulnerabilities, primarily residing in TOTOLINK’s cstecgi.cgi
script and DrayTek’s cgi-bin/mainfunction.cgi/apmcfgupload
interface.
These vulnerabilities allow attackers to run arbitrary system commands remotely.
RustoBot uses several downloader scripts utilizing common commands like wget
and tftp
to propagate itself across devices with different architectures, including arm5, arm6, arm7, mips, mpsl, and x86.
Upon infection, RustoBot employs encryption to obfuscate its configuration, using the XOR algorithm with complex calculations to retrieve keys for decoding ciphertext.
This approach helps the malware evade detection by standard security systems.
Once decoded, the configuration assists in resolving command and control (C2) server domains and executing DDoS attacks.
The malware’s entry point, identified through reverse engineering, demonstrates a high level of sophistication, using system API offsets to perform its malicious behaviors.
RustoBot supports a variety of DDoS attack methods, including Raw IP, TCP, and UDP flooding.
It receives attack parameters from the C2 server, initiating attacks based on predefined commands.
For example, the 0x03
command triggers a UDP flood attack, specifying victim IP addresses, port numbers, attack duration, and packet lengths.
This structured command system enables attackers to coordinate significant disruptions with precision.
The malware campaigns were observed in Japan, Taiwan, Vietnam, and Mexico, targeting the technology sector.
The attacks not only compromise the security of the affected devices but also pose a significant risk to the operational integrity of businesses relying on these internet gateways.
To combat this threat, FortiGuard Labs has integrated multiple protective measures into its security solutions, including:
According to the Report, Fortinet advises organizations to strengthen endpoint monitoring and authentication, alongside considering training through their Fortinet Certified Fundamentals (FCF) in Cybersecurity.
This comprehensive approach by FortiGuard Labs ensures a robust defense against the emerging threat of RustoBot, urging all stakeholders in the cybersecurity community to remain vigilant and proactive.
Type | Value |
---|---|
URL | hxxp://66[.]63[.]187[.]69/w.sh |
URL | hxxp://66[.]63[.]187[.]69/wget.sh |
URL | hxxp://66[.]63[.]187[.]69/tftp.sh |
Host | dvrhelper[.]anondns[.]net, techsupport[.]anondns[.]net, rustbot[.]anondns[.]net |
IP | 5[.]255[.]125[.]150 |
File Hash | 76a487a46cfeb94eb5a6290ceffabb923c35befe71a1a3b7b7d67341a40bc454, 75d031e8faaf3aa0e9cafd5ef0fd7de1a2a80aaa245a9e92bae6433a17f48385, … |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…
The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…
SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…
F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…
The healthcare sector has emerged as a prime target for cyber attackers, driven by the…
Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…