FortiGuard Labs recently unveiled the discovery of a highly advanced botnet named “RustoBot,” which leverages the power of Rust, a robust systems programming language. This sophisticated botnet specifically targets vulnerable network devices, such as TOTOLINK routers and certain DrayTek devices, by exploiting command injection vulnerabilities like CVE-2022-26210 and CVE-2022-26187. By exploiting these vulnerabilities, cyber attackers can gain remote control over compromised devices. The malware campaign orchestrated by RustoBot spans across various architectures, including arm5, arm6, arm7, mips, and x86, with a primary focus on devices located in Japan, Taiwan, Vietnam, and Mexico.
RustoBot initiates its propagation by utilizing downloader scripts to deliver the initial payload to compromised web servers. Upon execution of the payload, the malware proceeds to download a Rust-based binary customized to match the victim’s specific architecture. Subsequently, the malware establishes a stronghold over the device and employs a range of obfuscation techniques to evade detection. These evasion tactics consist of XOR-based encryption for configuration data and dynamic resolution of system APIs, adding layers of complexity for security analysts attempting to analyze the malware.
The botnet’s communication with command-and-control (C2) servers is executed through DNS-over-HTTPS (DoH), blending the malicious traffic seamlessly with legitimate encrypted web traffic. This covert communication method makes it arduous to pinpoint the botnet’s activities within a network. The C2 server of RustoBot issues command prompts for conducting DDoS attacks, encompassing various methods such as UDP, TCP, or raw IP flooding.
Noteworthy to mention is the precise nature of these attacks, as they are meticulously tailored with specific IP addresses, ports, and packet sizes, allowing perpetrators to launch targeted and highly impactful DDoS campaigns. To counter the risk posed by RustoBot infections, organizations are advised to promptly update firmware on affected devices, enforce robust authentication mechanisms, and closely monitor device activities for any indications of unauthorized access. FortiGuard Labs strongly advocates for the implementation of network traffic filtering to obstruct communications with known C2 domains and IPs. In light of the constantly evolving landscape of botnet assaults targeting IoT and edge devices, it is imperative for organizations to adopt proactive mitigation strategies, which encompass leveraging threat intelligence insights and deploying multi-layered defense mechanisms to safeguard their networks against such sophisticated threats.
In conclusion, the emergence of RustoBot serves as a stark reminder of the escalating threats posed by sophisticated botnets targeting vulnerable network devices. As cyber attackers continue to refine their tactics and exploit vulnerabilities for malicious intent, it is incumbent upon organizations to remain vigilant, proactive, and well-prepared with robust security measures to fortify their digital infrastructures against such insidious threats.