AndoryuBot: The Emerging Botnet Exploiting Ruckus Vulnerability

In April, cybersecurity researchers at FortiGuard Labs discovered a novel botnet, AndoryuBot, which leverages the SOCKS protocol and exploits the Ruckus vulnerability (CVE-2023-25717) to infect devices. First appearing in February 2023, AndoryuBot is equipped with various DDoS attack modules for different protocols and communicates with its command-and-control (C2) server using SOCKS5 proxies.

AndoryuBot botnet targets the Ruckus vulnerability to access devices, subsequently downloading a script for further propagation. The botnet variant analyzed in this case targets architectures such as arm, m68k, mips, mpsl, sh4, spc, and x86. It is saved under the filename “Andoryu,” which inspired the campaign’s name, and uses its downloading method, “curl,” as its file extension.

Upon initialization, AndoryuBot checks the argument count and decodes data from the “.rodata” section. After execution, it prints a string in the console, indicating that the project commenced last year, making it a relatively new botnet group. AndoryuBot then extracts the victim’s public IP address by sending a GET request with a hardcoded User-Agent string.

The botnet initiates a connection to its C2 server using the SOCKS protocol, and once the communication channel is established, it awaits commands from the server to launch a DDoS attack. AndoryuBot employs 12 distinct methods, including tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo.

When the victim system receives the attack command, it initiates a DDoS attack on a specific IP address and port number. Researchers found a YouTube video published on April 25, providing an overview of “Andoryu Net.” The botnet’s attack methods align with those described on its Telegram sales page, suggesting that the Andoryu project will likely continue to evolve and enhance its features to attract interest and drive sales.

The remote code execution vulnerability, CVE-2023-25717, affects multiple Ruckus wireless Access Point (AP) devices. Upon compromising a target device, AndoryuBot rapidly propagates and establishes communication with its C2 server via the SOCKS protocol. Within a short timeframe, it is updated with additional DDoS methods and awaits attack commands. Users should remain vigilant, monitor this emerging threat, and apply patches to affected devices as soon as they become available.