Andoryubot

AndoryuBot is a relatively new botnet malware that first appeared in February 2023. It exploits vulnerabilities in Ruckus devices, enabling it to gain unauthorized access and compromise the target device. The malware contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies. After gaining entry, AndoryuBot downloads a script for additional spread and quickly begins communicating with its C2 server via the SOCKS protocol. It uses a method called "curl" for downloading itself, although Fortinet identified an error in the code that prevents it from running on some computers. The AndoryuBot variant targets multiple architectures including arm, m68k, mips, mpsl, sh4, spc, and x86. It includes 12 methods: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo. After initialization, the malware sends a GET request to extract the victim’s public IP address. The campaign distributing this current version of AndoryuBot started sometime after mid-April, as reported by Fortinet's senior antivirus analyst Cara Lin. To protect devices against the AndoryuBot botnet, it is recommended to install all available patches and replace any legacy devices that have reached their end of life (EoL). Awareness of this threat has been raised through various channels, including a YouTube video published on April 25, providing an overview of "Andoryu Net". As AndoryuBot continues to exploit the Ruckus vulnerability, users are advised to remain vigilant and ensure their systems are up-to-date with the latest security measures.