RustDuck Botnet’s Rust Overhaul Targets Routers and Servers for DDoS Attacks

The RustDuck botnet uses a two-stage infection chain and sophisticated evasion techniques to hijack routers and servers for DDoS attacks, while its operators are actively rewriting the malware in Rust.

CSBadmin
2 Min Read

How It Spreads

RustDuck infects home routers, IP cameras, Android boxes, and weakly secured servers by exploiting a mix of old vulnerabilities and weak credentials. It targets default passwords on Telnet and SSH services, open Android debugging interfaces, and known flaws in devices from Huawei, D-Link, Totolink, TVT, Ruijie, and TP-Link, as well as server software like Apache CouchDB, ThinkPHP, Jenkins, and Hadoop YARN. The botnet uses more than 20 distribution addresses, with the busiest at 176.65.139[.]204.

Sophisticated Evasion and Engineering

RustDuck installs in two stages: a small loader decrypts a heavier core module, which is being rewritten from C to Rust to resist analysis. The malware runs a detailed checklist to detect security researchers’ labs, looking for analysis tools like Wireshark and gdb, debuggers, honeypot fingerprints, and virtual machine hardware. It uses a risk score system; crossing a threshold causes it to erase traces and quit. Communication is encrypted with ChaCha20-Poly1305 and AES-GCM, with keys derived via HKDF-SHA256 and Curve25519, rotated every ten minutes. Control servers rely on free dynamic-DNS services like duckdns.org, giving the botnet its name.

Impact and Recommendations

RustDuck is currently small but its active development and adoption of Rust signal a worrying trend. It arrives during a year of record DDoS attacks, with other Rust-based botnets like RustoBot emerging in 2025. Defenders should remove remote management interfaces from the public internet, disable Android Debug Bridge and Telnet when not needed, patch or replace end-of-life devices, and block known file hashes, domains, and IP addresses from XLab’s report.

Source: The Hacker News

CSBadmin

The latest in cybersecurity news and updates.

TAGGED:
Share This Article
Follow:
The latest in cybersecurity news and updates.