Affected platforms: Linux
Impacted parties: Any organization
Impact: Remote attackers gain control of vulnerable systems
Severity level: Critical
In April, FortiGuard Labs observed a unique botnet based on the SOCKS protocol distributed through the Ruckus vulnerability (CVE-2023-25717). This botnet, known as AndoryuBot, first appeared in February 2023. It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies. Based on our IPS signatures trigger count (Figure 1), this campaign started distributing the current version sometime after mid-April.
This article details how this malware leverages the Ruckus vulnerability and examines its behavior once inside an infected device.
Infection
AndoryuBot targets the Ruckus vulnerability to gain access to a device. It then downloads a script for further propagation. The complete script is shown in Figure 3, and the downloading URL is http[:]//163[.]123[.]142[.]146. The AndoryuBot variant in this analysis targets the following architectures: arm, m68k, mips, mpsl, sh4, spc, and x86. It is saved under the filename “Andoryu,” which is how the campaign name was derived. It also uses its downloading method, “curl”, as its file extension. In addition, although it has “.ppc” in the script, instead of a valid execution file, the link only contains the string “Invalid file bixxh axx boi”.
Technical Analysis – Initialization
AndoryuBot first checks the argument count—the assembly code is shown in Figure 4. Take the x86 file as an example: the original parameters are “Andoryu.10curl” and “ruckus”.
It then decodes data from the “.rodata” section. Figure 5 shows part of the code. The encryption key, “0x2A41605D“, and the clear text are shown in Figure 6. After the execution, it prints the string, “Project Andoryu(12/30/2022). What color is your botnet !” in the console. Analysis indicates that this project began last year, which makes this quite a new botnet group.
Technical Analysis – C2 Communication
After initialization, AndoryuBot sends a GET request to extract the victim’s public IP address. The HTTP request to “api.ipify.org” has a hardcoded User-Agent string, shown in Figure 7.
Then it starts a connection to its C2 server, 45[.]153[.]243[.]39[:]10333, using the SOCKS protocol. The code is shown in Figure 8.
The first data sent from the compromised endpoint is shown in Figure 9.
Technical Analysis – DDoS Attacking
After its communication channel setup, the client waits for a command from the server to launch a DDoS attack. The functions are shown in Figure 10. AndoryuBot includes 12 methods: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo. We can locate these from the decoded data in the previous section.
Once the victim system receives the attack command, it starts a DDoS attack on a specific IP address and port number. One example of the DDoS attack traffic is shown below:
Based on the above features from AndoryuBot, we found a YouTube video published on April 25 that gives a brief induction about “Andoryu Net”. The description of its attack methods found on its selling page in Telegram is shown in Figure 12. The names match the decoded data from the AndoryuBot sample we collected. The Andoryu project will likely continue to update its features to increase interest and sales.
Conclusion
CVE-2023-25717 is a remote code execution vulnerability affecting multiple Ruckus wireless Access Point (AP) devices (FortiGuard Labs released a threat signal report about CVE-2023-25717 on April 28). Once a target device is compromised, AndoryuBot quickly spreads and begins communicating with its C2 server via the SOCKS protocol. In a very short time, it is updated with additional DDoS methods and awaits attack commands. Users should be aware of this new threat and actively apply patches on affected devices as soon as they become available.
Fortinet Protections
This malware is detected and blocked by FortiGuard Antivirus as:
ELF/Andoryu.CBN!tr
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR, and the Fortinet AntiVirus engine is a part of each of those solutions. Customers running current AntiVirus updates are protected.
Fortinet has also released IPS signatures to proactively protect our customers from the threats contained in the exploit list.
The FortiGuard Web Filtering Service blocks the C2 server.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
If you think this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team.
IOCs
C2:
163[.]123[.]142[.]146
45[.]153[.]243[.]39
Files:
ea064dd91d8d9e6036e99f5348e078c43f99fdf98500614bffb736c4b0fff408
f42c6cea4c47bf0cbef666a8052633ab85ab6ac5b99b7e31faa1e198c4dd1ee1
3441e88c80e82b933bb09e660d229d74f7b753a188700fe018e74c2db7b2aaa0
3c9998b8451022beee346f1afe18cab84e867b43c14ba9c7f04e5c559bfc4c3a
b71b4f478479505f1bfb43663b4a4666ec98cd324acb16892ecb876ade5ca6f9
e740a0d2e42c09e912c43ecdc4dcbd8e92896ac3f725830d16aaa3eddf07fd5c
4fe4cff875ef7f8c29c95efe71b92ed31ed9f61eb8dfad448259295bd1080aca
2e7136f760f04b1ed7033251a14fef1be1e82ddcbff44dae30db12fe52e0a78a
1298da097b1c5bdce63f580e14e2c1b372c409476747356a8e9cfaf62b94513d
55e921a196c92c659305aa9de3edf6297803b60012f83967562a57547875fec1