How It Spreads
RustDuck infects home routers, IP cameras, Android boxes, and weakly secured servers by exploiting a mix of old vulnerabilities and weak credentials. It targets default passwords on Telnet and SSH services, open Android debugging interfaces, and known flaws in devices from Huawei, D-Link, Totolink, TVT, Ruijie, and TP-Link, as well as server software like Apache CouchDB, ThinkPHP, Jenkins, and Hadoop YARN. The botnet uses more than 20 distribution addresses, with the busiest at 176.65.139[.]204.
Sophisticated Evasion and Engineering
RustDuck installs in two stages: a small loader decrypts a heavier core module, which is being rewritten from C to Rust to resist analysis. The malware runs a detailed checklist to detect security researchers’ labs, looking for analysis tools like Wireshark and gdb, debuggers, honeypot fingerprints, and virtual machine hardware. It uses a risk score system; crossing a threshold causes it to erase traces and quit. Communication is encrypted with ChaCha20-Poly1305 and AES-GCM, with keys derived via HKDF-SHA256 and Curve25519, rotated every ten minutes. Control servers rely on free dynamic-DNS services like duckdns.org, giving the botnet its name.
Impact and Recommendations
RustDuck is currently small but its active development and adoption of Rust signal a worrying trend. It arrives during a year of record DDoS attacks, with other Rust-based botnets like RustoBot emerging in 2025. Defenders should remove remote management interfaces from the public internet, disable Android Debug Bridge and Telnet when not needed, patch or replace end-of-life devices, and block known file hashes, domains, and IP addresses from XLab’s report.
Source: The Hacker News

