.jpg)
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![BPMN-procesmodellering [closed]](https://i.sstatic.net/l7l8q49F.png)
-All-will-be-revealed-00-35-05.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
-All-will-be-revealed-00-17-36.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
-Jack-Black---Steve's-Lava-Chicken-(Official-Music-Video)-A-Minecraft-Movie-Soundtrack-WaterTower-00-00-32_lMoQ1fI.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_Weyo_alamy.png?width=1280&auto=webp&quality=80&disable=upscale#)
_Brain_light_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![New M4 MacBook Air On Sale for $929 [Lowest Price Ever]](https://www.iclarified.com/images/news/97090/97090/97090-1280.jpg)
![Apple iPhone 17 Pro May Come in 'Sky Blue' Color [Rumor]](https://www.iclarified.com/images/news/97088/97088/97088-640.jpg)
![Mac Shipments Up 17% in Q1 2025 Fueled by New M4 MacBook Air [Chart]](https://www.iclarified.com/images/news/97086/97086/97086-640.jpg)
![Next Generation iPhone 17e Nears Trial Production [Rumor]](https://www.iclarified.com/images/news/97083/97083/97083-640.jpg)
New Rust Botnet Hijacking Routers to Inject Commands Remotely
A sophisticated new botnet malware written in the Rust programming language has been discovered targeting vulnerable router devices worldwide. Dubbed “RustoBot” due to its Rust-based implementation, this malware exploits critical vulnerabilities in TOTOLINK and DrayTek router models to execute remote command injections, potentially affecting technology industries across Japan, Taiwan, Vietnam, and Mexico. The botnet primarily […] The post New Rust Botnet Hijacking Routers to Inject Commands Remotely appeared first on Cyber Security News.
A sophisticated new botnet malware written in the Rust programming language has been discovered targeting vulnerable router devices worldwide.
Dubbed “RustoBot” due to its Rust-based implementation, this malware exploits critical vulnerabilities in TOTOLINK and DrayTek router models to execute remote command injections, potentially affecting technology industries across Japan, Taiwan, Vietnam, and Mexico.
The botnet primarily targets TOTOLINK models including N600R, A830R, A3100R, A950RG, A800R, A3000RU, and A810R through vulnerabilities in the cstecgi.cgi file, a CGI script responsible for processing user inputs and administrative commands.
These scripts contain command injection flaws that allow attackers to achieve remote code execution on compromised devices.
Similarly, DrayTek Vigor2960 and Vigor300B routers are affected through the CVE-2024-12987 vulnerability, an OS command injection located in the cgi-bin/mainfunction.cgi/apmcfgupload interface.
Initial exploitation begins with simple but effective payloads that leverage these vulnerabilities.
For TOTOLINK devices, the attack uses a crafted request to the vulnerable cstecgi.cgi endpoint with a malicious command string that downloads and executes the malware.
.webp)
It shows the exploitation technique with a payload that uses wget to download and execute the “mpsl” binary, targeted specifically for TOTOLINK architecture.
Fortinet researchers identified that after initial compromise, RustoBot deploys multiple architecture-specific variants through four different downloader scripts, targeting arm5, arm6, arm7, mips, and mpsl architectures.
Multi-architecture approach
This multi-architecture approach ensures broad compatibility across various router models and embedded systems.
The malware’s sophisticated design includes several advanced techniques for operation and evasion.
RustoBot retrieves system API functions from the Global Offset Table (GOT) and employs XOR encryption to encode its configuration data.
.webp)
The malware calculates decoder key offsets using complex instruction sequences: get_key_offset_4 proc near xor esi, 803C490h imul eax, esi, 0B0D0D74h xor eax, 120ED6A5h mov ecx, eax shr ecx, 1Ch xor ecx, eax imul eax, ecx, 0D921h movzx eax, ax add rax, rdi retn get_key_offset_4 endp
Once established on a compromised device, RustoBot connects to its command and control infrastructure by resolving domains like dvrhelper.anondns.net, techsupport.anondns.net, rustbot.anondns.net, and miraisucks.anondns.net, all resolving to the same IP address (5.255.125.150).
.webp)
The botnet then awaits instructions to launch various DDoS attacks, including UDP flooding, where it generates massive volumes of UDP packets with 1400-byte payloads to specified target IP addresses and ports, overwhelming victim infrastructure.
This emerging threat highlights the persistent vulnerability of IoT and network devices and the evolving sophistication of botnet malware leveraging modern programming languages like Rust for increased stability and cross-platform compatibility.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post New Rust Botnet Hijacking Routers to Inject Commands Remotely appeared first on Cyber Security News.
