Severe Ruckus RCE Flaws Utilized By Fresh DDoS Botnet Malware

By   Olivia William
Writer , Information Security Buzz | May 09, 2023 12:18 pm PST

“AndoryuBot’ is a new malware botnet that infects unpatched Wi-Fi access points for DDoS assaults using a key Ruckus Wireless Admin panel weakness.

CVE-2023-25717 allows remote attackers to execute code on susceptible Ruckus Wireless Admin panels version 10.4 and older by sending unauthenticated HTTP GET requests.

February 8, 2023, found and corrected the problem. Many have not installed security upgrades, and end-of-life models affected by the security issue will not receive a fix. Fortinet claims its Ruckus-targeting AndoryuBot debuted in mid-April. Botnet malware recruits susceptible devices to its profit-making DDoS swarm.

Malicious HTTP GET requests to infect susceptible devices and download a script from a hardcoded URL for further dissemination. The Fortinet variation targets x86, arm, spc, m68k, mips, sh4, and mpsl.

After infecting a device, the malware communicates with the C2 server using SOCKS proxying to avoid firewalls and waits for commands.

AndoryuBot supports 12 DDoS attack modes: (tcp-raw, tcp-socket, cnc, handshake, plain, game, ovh, raw, vse, dstat, bypass, and icmp-echo).

The virus receives DDoS type, target IP address, and port number from the command and control server. The malware’s operators charge cryptocurrencies (XMR, BTC, ETH, USDT, CashApp) for DDoS assaults.

Fortinet says weekly rent charges range from $20 for a single-connection 90-second assault employing all available bots fired 50 times a day to $115 for a double-connection 200-second attack with 100 attacks per day.

The Andoryu project promotes its botnet’s capabilities on YouTube. Apply firmware updates, utilize strong device administrator passwords, and disable remote admin panel access if not needed to avoid botnet malware.


Remote attackers can take control of Linux-based Ruckus access points (AP) due to a serious vulnerability. According to a Fortinet notice, a new botnet called AndoryuBot exploited CVE-2023-25717, a February weakness. “[AndoryuBot] contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies,” said Fortinet senior antivirus analyst Cara Lin. According on our IPS signatures trigger count, this campaign began distributing the latest version after mid-April. AndoryuBot enters a device using the Ruckus vulnerability and downloads a script to distribute. Fortinet found a Linux-targeted variation that infected various computer processors, including those in smartphones, laptops, and other devices. 

Curl downloads AndoryuBot. Fortinet detected a programming flaw that prevented some systems from running the malware. “Once a target device is compromised, AndoryuBot quickly spreads and begins communicating with its C2 server via SOCKS,” Lin said. “After receiving the attack command, the victim system starts a DDoS attack on a specific IP address and port number.” Lin says AndoryuBot quickly updates with various DDoS tactics and awaits assault commands. Fortinet recommended users be aware of this new vulnerability and actively apply fixes on impacted devices as they become available. The advice provides IPS signatures for customers and IOCs for other system defenders to protect enterprises from exploit risks. It was published weeks after Akamai security researchers found a new DDoS botnet that could conduct attacks at several Tbps.