New Rust Botnet "RustoBot" is Routed via Routers

    Tuesday, April 22, 2025 In: Threat Research Print

    Date: 04/22/2025

    Severity: High

    Summary

    A newly identified botnet called RustoBot is spreading through TOTOLINK routers using Rust, a programming language known for its speed and security. RustoBot exploits command injection vulnerabilities in the cstecgi.cgi script, including CVE-2022-26210 and CVE-2022-26187, to achieve remote code execution. Additionally, attackers exploited CVE-2024-12987, an OS command injection flaw in DrayTek devices. These attacks, observed in Japan, Taiwan, Vietnam, and Mexico, primarily targeted the technology sector.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://66.63.187.69/w.sh

    http://66.63.187.69/wget.sh

    http://66.63.187.69/t

    http://66.63.187.69/tftp.sh

    http://66.63.187.69/arm5

    http://66.63.187.69/arm6

    http://66.63.187.69/arm7

    http://66.63.187.69/mips

    http://66.63.187.69/mpsl

    http://66.63.187.69/x86

    dvrhelper.anondns.net

    techsupport.anondns.net

    rustbot.anondns.net

    miraisucks.anondns.net

    IP Address

    5.255.125.150

    Hash

    76a487a46cfeb94eb5a6290ceffabb923c35befe71a1a3b7b7d67341a40bc454

    75d031e8faaf3aa0e9cafd5ef0fd7de1a2a80aaa245a9e92bae6433a17f48385

    fbdd5cba193a5e097cd12694efe14a15eb0fc059623f82da6c0bf99cbcfa22f8

    0dde88e9e5a0670e19c3b3e864de1b6319aaf92989739602e55b494b09873fbe

    15c9d7a63fa419305d7f2710b63f71cc38178973c0ccf6d437ce8b6feeca4ee1

    427399864232c6c099f183704b23bff241c7e0de642e9eec66cc56890e8a6304

    4f0ba25183ecb79a0721037a0ff9452fa8c19448f82943deca01b36555f2cc99

    c0abb19b3a72bd2785e8b567e82300423da672a463eefdeda6dd60872ff0e072

    dae8dae748be54ba0d5785ab27b1fdf42b7e66c48ab19177d4981bcc032cfb1c

    9f098920613bd0390d6485936256a67ae310b633124cfbf503936904e69a81bf

    e547306d6dee4b5b2b6ce3e989b9713a5c21ebe3fefa0f5c1a1ea37cec37e20f

    b910e77ee686d7d6769fab8cb8f9b17a4609c4e164bb4ed80d9717d9ddad364f

    44a526f20c592fd95b4f7d61974c6f87701e33776b68a5d0b44ccd2fa3f48c5d

    efb0153047b08aa1876e1e4e97a082f6cb05af75479e1e9069b77d98473a11f4

    9a9b5bdeb1f23736ceffba623c8950d627a791a0b40c4d44ae2f80e02a43955d

    5dc90cbb0f69f283ccf52a2a79b3dfe94ee8b3474cf6474cfcbe9f66f245a55d

    b68e2d852ad157fc01da34e11aa24a5ab30845b706d7827b8119a3e648ce2cf1

    9e660ce74e1bdb0a75293758200b03efd5f807e7896665addb684e0ffb53afd2

    ec9e77f1185f644462305184cf8afcf5d12c7eb524a2d3f4090a658a198c20ce

    114b460012412411363c9a3ab0246e48a584ce86fc6c0b7855495ec531dd05a1

    1697fd5230f7f09a7b43fee1a1693013ed98beeb7a182cd3f0393d93dd1b7576

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    domainname like "http://66.63.187.69/arm5" or siteurl like "http://66.63.187.69/arm5" or url like "http://66.63.187.69/arm5" or domainname like "http://66.63.187.69/w.sh" or siteurl like "http://66.63.187.69/w.sh" or url like "http://66.63.187.69/w.sh" or domainname like "http://66.63.187.69/wget.sh" or siteurl like "http://66.63.187.69/wget.sh" or url like "http://66.63.187.69/wget.sh" or domainname like "http://66.63.187.69/arm7" or siteurl like "http://66.63.187.69/arm7" or url like "http://66.63.187.69/arm7" or domainname like "http://66.63.187.69/arm6" or siteurl like "http://66.63.187.69/arm6" or url like "http://66.63.187.69/arm6" or domainname like "http://66.63.187.69/tftp.sh" or siteurl like "http://66.63.187.69/tftp.sh" or url like "http://66.63.187.69/tftp.sh" or domainname like "http://66.63.187.69/x86" or siteurl like "http://66.63.187.69/x86" or url like "http://66.63.187.69/x86" or domainname like "http://66.63.187.69/t" or siteurl like "http://66.63.187.69/t" or url like "http://66.63.187.69/t" or domainname like "http://66.63.187.69/mips" or siteurl like "http://66.63.187.69/mips" or url like "http://66.63.187.69/mips" or domainname like "http://66.63.187.69/mpsl" or siteurl like "http://66.63.187.69/mpsl" or url like "http://66.63.187.69/mpsl" or domainname like "dvrhelper.anondns.net" or siteurl like "dvrhelper.anondns.net" or url like "dvrhelper.anondns.net" or domainname like "techsupport.anondns.net" or siteurl like "techsupport.anondns.net" or url like "techsupport.anondns.net" or domainname like "rustbot.anondns.net" or siteurl like "rustbot.anondns.net" or url like "rustbot.anondns.net" or domainname like "miraisucks.anondns.net" or siteurl like "miraisucks.anondns.net" or url like "miraisucks.anondns.net"

    Detection Query 2

    dstipaddress IN ("5.255.125.150") or srcipaddress IN ("5.255.125.150")

    Detection Query 3

    sha256hash IN ("ec9e77f1185f644462305184cf8afcf5d12c7eb524a2d3f4090a658a198c20ce","c0abb19b3a72bd2785e8b567e82300423da672a463eefdeda6dd60872ff0e072","9e660ce74e1bdb0a75293758200b03efd5f807e7896665addb684e0ffb53afd2","9a9b5bdeb1f23736ceffba623c8950d627a791a0b40c4d44ae2f80e02a43955d","44a526f20c592fd95b4f7d61974c6f87701e33776b68a5d0b44ccd2fa3f48c5d","76a487a46cfeb94eb5a6290ceffabb923c35befe71a1a3b7b7d67341a40bc454","b68e2d852ad157fc01da34e11aa24a5ab30845b706d7827b8119a3e648ce2cf1","b910e77ee686d7d6769fab8cb8f9b17a4609c4e164bb4ed80d9717d9ddad364f","114b460012412411363c9a3ab0246e48a584ce86fc6c0b7855495ec531dd05a1","75d031e8faaf3aa0e9cafd5ef0fd7de1a2a80aaa245a9e92bae6433a17f48385","efb0153047b08aa1876e1e4e97a082f6cb05af75479e1e9069b77d98473a11f4","fbdd5cba193a5e097cd12694efe14a15eb0fc059623f82da6c0bf99cbcfa22f8","0dde88e9e5a0670e19c3b3e864de1b6319aaf92989739602e55b494b09873fbe","15c9d7a63fa419305d7f2710b63f71cc38178973c0ccf6d437ce8b6feeca4ee1","427399864232c6c099f183704b23bff241c7e0de642e9eec66cc56890e8a6304","4f0ba25183ecb79a0721037a0ff9452fa8c19448f82943deca01b36555f2cc99","dae8dae748be54ba0d5785ab27b1fdf42b7e66c48ab19177d4981bcc032cfb1c","9f098920613bd0390d6485936256a67ae310b633124cfbf503936904e69a81bf","e547306d6dee4b5b2b6ce3e989b9713a5c21ebe3fefa0f5c1a1ea37cec37e20f","5dc90cbb0f69f283ccf52a2a79b3dfe94ee8b3474cf6474cfcbe9f66f245a55d","1697fd5230f7f09a7b43fee1a1693013ed98beeb7a182cd3f0393d93dd1b7576")

    Reference:  

    https://www.fortinet.com/blog/threat-research/new-rust-botnet-rustobot-is-routed-via-routers


    Tags

    MalwareVulnerabilityBotnetRustoBotTOTOLINKExploitCVE-2022CVE - 2024JapanTaiwanVietnamMexicoInformation Technology

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.