Threat Research

AndoryuBot – New Botnet Campaign Targets Ruckus Wireless Admin Remote Code Execution Vulnerability (CVE-2023-25717)b| FortiGuard Labs

Securonix

Fortinet FortiGuard Labs documents a new botnet named AndoryuBot that targets Ruckus Wireless Access Points via CVE-2023-25717 to gain control of devices. The malware then uses a SOCKS-based C2, downloads a propagation script, and implements DDoS capabilities. #AndoryuBot #CVE-2023-25717

Keypoints

  • AndoryuBot targets the CVE-2023-25717 Ruckus vulnerability to gain initial access to devices.
  • The malware communicates with its C2 server through SOCKS5 proxies.
  • It downloads a propagation script (via curl) and saves the payload under the name Andoryu for multiple architectures (arm, m68k, mips, mpsl, sh4, spc, x86).
  • The code decodes data from the .rodata section and uses an encryption key (0x2A41605D) during execution.
  • It queries api.ipify.org to obtain the victim’s public IP address before establishing C2 communication.
  • The botnet includes 12 DDoS methods (e.g., tcp-raw, udp-plain, icmp-echo) and awaits commands from the C2 to launch attacks.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used CVE-2023-25717 to gain initial access to a Ruckus AP. “target the Ruckus vulnerability to gain access to a device.”
  • [T1105] Ingress Tool Transfer – Downloads a script for further propagation via curl. “downloads a script for further propagation.”
  • [T1027] Obfuscated/Compressed Data – Decodes data from the “.rodata” section and uses an encryption key. “decodes data from the “.rodata” section. The encryption key, “0x2A41605D”, and the clear text are shown in Figure 6.”
  • [T1090] Proxy – Communicates with its C2 server using SOCKS5 proxies. “communicates with its C2 server using SOCKS5 proxies.”
  • [T1499] Denial of Service – Contains DDoS attack modules for different protocols. “contains DDoS attack modules for different protocols.”
  • [T1071.001] Web Protocols – Retrieves the victim’s IP via an HTTP GET to api.ipify.org before C2. “The HTTP request to “api.ipify.org” has a hardcoded User-Agent string.”

Indicators of Compromise

  • [IP Address] C2 / IP fetch – 163.123.142.146, 45.153.243.39
  • [Domain] IP lookup service – api.ipify.org
  • [File Name] Downloaded payload name – Andoryu
  • [File Hash] Sample file hashes – ea064dd91d8d9e6036e99f5348e078c43f99fdf98500614bffb736c4b0fff408, f42c6cea4c47bf0cbef666a8052633ab85ab6ac5b99b7e31faa1e198c4dd1ee1, and 8 more hashes

Read more: https://www.fortinet.com/blog/threat-research/andoryubot-new-botnet-campaign-targets-ruckus-wireless-admin-remote-code-execution-vulnerability-cve-2023-25717