HQ/EMEAFind out how we can help your business
The new AndoryuBot malware operators have been targeting a critical vulnerability in the Ruckus Wireless Admin panel to compromise unpatched and outdated WiFi access points to execute Distributed Denial-of-Service attacks.
The Ruckus Wireless Admin Panel flaw is CVE-2023-25717, which exists on panels version 10.4 and older. The bug could enable an attacker to run code execution by sending unauthenticated HTTP GET requests to flawed devices.
The AndoryuBot malware emerged earlier this year.
Researchers revealed that the AndoryuBot malware appeared in the cybercriminal landscape in February. However, a new investigation suggests that a new malware version has been targeting the Ruckus devices.
The primary objective of the botnet operators is to enlist vulnerable machines to the DDoS campaigns that it operates to earn revenue.
Based on reports, the malware could infect Ruckus devices through malicious HTTP GET requests and downloads an additional script from a hardcoded URL for propagation. The AndoryuBot version analysed by researchers could target numerous system infrastructures, like arm, x86, SPC, sh4, maps, mips, sh4, and m68k.
Subsequently, the malware will communicate with the command-and-control server through the SOCKS proxying protocol for obfuscation, bypass firewalls, and wait for further commands.
Researchers confirmed that the new AndoryuBot malware could support 12 DDoS attack modes. In addition, the malware will receive additional commands from the C2 server that instructs it on the DDoS type, the target IP address, and the port number to compromise.
Furthermore, the malware operators lend their malicious capabilities to other cybercriminals who want to deploy DDoS campaigns. The developers accept several crypto payments, such as XMR BTC, USDT, ETH, and CashApp, for their services.
Researchers identified that the weekly rent price reached about $20 for a single-connection 90-second attack through all available bots deployed 50 times daily. Attackers could also avail of the double-connection 200-second attack via all available bots to launch 100 attacks daily for $115.
The developers of this new malware project promote their tool through YouTube videos where its operators demonstrate the botnet’s capabilities. Cybersecurity experts recommend that Ruckus users apply firmware updates, use strong device admin passwords, and disable admin panel access if not needed to prevent the AndoryuBot botnet malware infections.
