A new malware botnet named ‘AndoryuBot’ is targeting a critical-severity flaw in the Ruckus Wireless Admin panel to infect unpatched Wi-Fi access points for use in DDoS attacks.
Tracked as CVE-2023-25717, the flaw impacts all Ruckus Wireless Admin panels version 10.4 and older, allowing remote attackers to perform code execution by sending unauthenticated HTTP GET requests to vulnerable devices.
The flaw was discovered and fixed on February 8, 2023. Still, many have not applied the available security updates, while end-of-life models impacted by the security problem will not get a patch.
AndoryuBot first appeared in the wild in February 2023, but Fortinet says its newer version that targets Ruckus devices emerged in mid-April.
The botnet malware aims to enlist vulnerable devices to its DDoS (distributed denial of service) swarm that it operates for profit.
Ruckus attack details
The malware infects vulnerable devices via malicious HTTP GET requests and then downloads an additional script from a hardcoded URL for further propagation.
Malicious HTTP request (Fortinet)
The variant analyzed by Fortinet can target numerous system architectures, including x86, arm, spc, m68k, mips, sh4, and mpsl.
After infecting a device, the malware establishes communication with the C2 server using the SOCKS proxying protocol for stealthiness and to bypass firewalls, and then waits for commands.
Setting up C2 communication (Fortinet)
The AndoryuBot malware supports 12 DDoS attack modes: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo.
Payload downloading script (Fortinet)
The malware will receive commands from the command and control server that tell it the DDoS type, the target IP address, and the port number to attack.
The malware’s operators rent their firepower to other cybercriminals who want to launch DDoS attacks, accepting cryptocurrency payments (XMR, BTC, ETH, USDT, CashApp) for their services.
Fortinet says the weekly rent prices range from $20 for a single-connection 90-second attack using all available bots launched 50 times a day to $115 for a double-connection 200-second attack using all available bots to launch 100 attacks daily.
The Andoryu project is currently marketed through YouTube videos where its operators demonstrate the botnet’s capabilities.
The malware’s DDoS service promoted on YouTube (Fortinet)
To prevent botnet malware infections, apply available firmware updates, use strong device administrator passwords, and disable remote admin panel access if not needed.