An early botnet called Andoryu A critical security flaw in the patched Ruckus Wireless Admin panel was found to be exploited to compromise vulnerable devices.
The flaw, tracked as CVE-2023-25717 (CVSS score: 9.8), is due to improper handling of HTTP requests, leading to unauthenticated remote code execution and complete compromise of wireless access point (AP) equipment. lead to infringement.
Andoryu was first documented by Chinese cybersecurity firm QiAnXin in early February of this year, detailing its ability to communicate with command and control (C2) servers using the SOCKS5 protocol.
The malware is known to weaponize remote code execution flaws in GitLab (CVE-2021-22205) and Lilin DVR to propagate, but the addition of CVE-2023-25717 allows Andoryu to spread to more devices. It shows that they are aggressively expanding their arsenal of exploits to trap botnets. .
Fortinet FortiGuard Labs researcher Cara Lin said, “It contains DDoS attack modules of various protocols and uses SOCKS5 proxies to communicate with command and control servers,” with the latest campaign scheduled for 2023. It added that it started in late April.
Further analysis of the attack chain reveals that when the Ruckus vulnerability is used to access the device, scripts from remote servers are dropped onto the infected device to spread.
The malware also establishes a connection with the C2 server and waits for further instructions to launch a DDoS attack against the intended target using protocols such as ICMP, TCP, and UDP.
The costs associated with carrying out such attacks are advertised through a listing of sellers’ Telegram channels, with monthly plans ranging from $90 to $115 depending on the duration.
RapperBot botnet adds crypto mining to feature list
This alert follows the discovery of a new version of the RapperBot DDoS botnet that incorporates cryptojacking functionality to profit from compromised Intel x64 systems by dropping the Monero cryptominer.
RapperBot campaigns are primarily focused on using weak or default SSH or Telnet credentials to brute force IoT devices and expand the footprint of botnets launching DDoS attacks. .
Learn how to stop ransomware with real-time protection
Join our webinar to learn how to stop ransomware attacks using real-time MFA and service account protection.
Reserve your seat!
Fortinet announced that it detected the latest iteration of RapperBot miner activity in January 2023. The attack delivered a Bash shell script that was able to download and execute separate XMRig cryptominers and RapperBot binaries.
Subsequent malware updates combined the two different functions into a single bot client with mining capabilities, while also taking steps to terminate competing miner processes.
Interestingly, the new RapperBot sample with its integrated XMRig miner does not incorporate self-propagation functionality, raising the possibility of an alternative distribution mechanism.
“This is due to the availability of an external loader operated by a threat actor that exploits credentials collected by other RapperBot samples with brute force capabilities and infects only x64 machines with a combined bot/miner. It suggests a possibility,” theorized Fortinet.
RapperBot’s expansion into cryptojacking is another sign that financially motivated threat operators are going to great lengths to “get the most value out of botnet-infected machines.”
This twin development also coincides with the US Department of Justice’s announcement of the seizure of 13 Internet domains associated with DDoS rental services.
