AndroyuBot Ruckus

AndoryuBot’s DDOS Rampage

Ruckus Wireless Products in the Crosshairs

On February 8th, 2023, a vendor alerted customers regarding a security vulnerability in Ruckus Wireless Admin. CVE-2023-25717 is a critical vulnerability categorized as a Remote Code Execution (RCE) vulnerability impacting the Ruckus Wireless Admin.

This vulnerability stems from inadequate handling of a specially crafted HTTP request. As indicated by the NVD vulnerability description & publicly available POC, the vulnerability is exploited by sending the HTTP GET request –

“/forms/doLogin?login_username=admin&password=password$(curl substring)”

The Cyble Global Sensor Network (CGSI) observed active exploitation of CVE-2023-25717 and deployment of AndoryuBot, as shown in the image below. This incident indicates that Threat Actors (TAs) are actively looking for vulnerable Ruckus assets for exploitation purposes.

Figure 1 – Screenshot from Cyble Global Sensor Intelligence

Since the Proof of Concept (POC) for the vulnerability is publicly available, we expect that Threat Actors (TAs) will exploit this vulnerability on a large scale. On May 8th, 2023, Fortinet released a blog stating, “AndoruyBot distributing through Ruckus Vulnerability”. Cybersecurity and Infrastructure Agency (CISA) added CVE-2023-25717 to their Known Exploited Vulnerability catalog on May 15th, 2023.

AndoryuBot is a new Botnet malware sold on Telegram on a subscription basis. The deployment of such malware by TAs allows them to orchestrate large-scale DDoS attacks, which can overwhelm targeted servers and infrastructure by flooding them with a massive volume of traffic.

Exposure of Ruckus Wireless Admin Panel

As the vulnerability falls under the critical severity category and is being used by AndoryuBot, Researchers at Cyble investigated one of the online scanners for internet-exposed Ruckus Wireless Admin panels. They found that there are ~52k instances exposed over the internet.

The figure below represents the geographical distribution of internet-exposed instances.

Figure 2 – Exposure of Ruckus Wireless Admin

The graph below shows the Top 5 countries with the highest number of exposed assets.

Figure 3 – Top 5 countries with the highest number of Exposures

AndoryuBot Analysis

The AndorYuBot binary (SHA256: c4925a91ed853920d8acee79bf0bb9342da4dabc0a2970823027f39ede399bce) is a 32-bit Linux executable.

The figure below shows the file details.

Figure 4  – File Details

When the malware binary is executed, it examines the count of command line arguments provided during execution. It will proceed with its execution only if a single argument is detected.

The figure below illustrates the process of determining the number of arguments passed.

Figure 5  – Checking Command Line Parameters

Subsequently, the malware initiates a call to the prctl() function, with the option variable set to 15. This signifies the malware’s intention to modify the process name. Its objective is to change the process name to “DvrHelper”. It is a defense evasion technique used to hide artifacts.

The figure below shows the malware’s call to prctl().

Figure 6 – Changing the Process Name

Following that, the AndorYuBot binary proceeds to decrypt the encrypted strings located within the “.rodata” section. Employing a common decryption loop, it decrypts each encrypted string present.

The figure below illustrates the call to decryption function incorporated within the malware.

Figure  7 – Call to Decryption Function

Subsequently, the malware establishes sockets to facilitate communication with a Command and Control (C&C) Server. Depending on the instructions received from the server, the malware will carry out nefarious activities, such as initiating a Distributed Denial of Service (DDOS) Attack.

To facilitate network communication, the malware utilizes the socket() function to create a socket

Figure 8 – Setting up Network Communication

Conclusion

Ruckus specializes in providing networking solutions and services that various organizations widely utilize. However, the widespread use of networking products has attracted the interest of TAs who actively exploit vulnerabilities for their malicious intents.

Recent incidents involving the exploitation of vulnerabilities in Goanywhere, PaperCut, and now Ruckus serve as indicators that TAs are actively seeking out internet-exposed instances that are susceptible to attacks.

In today’s era, it has become increasingly crucial to have a comprehensive understanding of security vulnerabilities within organizations to effectively address and mitigate potential risks.

Recommendations

  • Implement proper network segmentation to prevent attackers from performing lateral movement and minimize exposure of critical assets over the internet.
  • Keeping software, firmware, and applications updated with the recent patches and mitigations released by the official vendor is necessary to prevent attackers from exploiting vulnerabilities.
  • Regular Audits, Vulnerability, and Pentesting exercises are key in finding security loopholes that attackers may exploit.
  • Continuous monitoring and logging can help in detecting network anomalies early.

MITRE ATT&CK® Techniques 

Tactic  Technique ID  Technique Name  
Execution T1059   Command and Scripting Interpreter
Defense EvasionT1140
T1480
T1036
Deobfuscate/Decode Files or Information
Execution Guardrails
Masquerading
Privilege Escalation T1055   Process Injection  
Command and Control T1095Non-Application Layer Protocol

Indicators of Compromise (IoCs):

IndicatorsIndicator TypeDescription
hxxp[:]//47.87.154.192/ hxxp[:]//47.87.154.192/Andoryu.m68k hxxp[:]//47.87.154.192/Andoryu.spc hxxp[:]//47.87.154.192/Andoryu.arm7 hxxps[:]//47.87.154.192/ hxxp[:]//47.87.154.192/gitlab hxxp[:]//47.87.154.192/Andoryu.i686 hxxp[:]//47.87.154.192/rt/ hxxp[:]//47.87.154.192/rt hxxp[:]//47.87.154.192/andoryu.arm5 hxxp[:]//47.87.154.192/Andoryu.arm6 hxxp[:]//47.87.154.192/Andoryu.mpsl/ hxxp[:]//47.87.154.192/Andoryu.arm hxxp[:]//47.87.154.192/Andoryu.x86URLMalicious URL
d2ad2d8d1b7dac89f2fb977c6b2c36a9
86d630159a13b4a594e3eae23ccbda891a67f696 c4925a91ed853920d8acee79bf0bb9342da4dabc0a2970823027f39ede399bce
MD5
SHA1
SHA256
AndorYuBot Binary
163.123.142.146   IP AddressMalicious IP dropping AndoroyuBot
47.87.154.192   IP AddressMalicious IP dropping AndoroyuBot

Scroll to Top