In August 2024, the AISURU botnet made headlines when it launched a devastating DDoS attack against Black Myth: Wukong distribution platforms. This attack exploited a critical 0DAY vulnerability found in cnPilot routers, utilizing RC4 encryption for sample strings to facilitate its malicious activities.
After a brief hiatus in September, the botnet resurfaced in October under the moniker “kitty.” By November, it had undergone another transformation, rebranding itself as AIRASHI. This new variant of the botnet implemented ChaCha20 encryption for CNC communication, along with HMAC-SHA256 verification. Additionally, AIRASHI boasted rich IP resources for the CNC server, making it highly resilient to takedown attempts.
The AI-RASHI botnet, powered by the AIRASHI variant, spreads through a variety of means, including NDAY vulnerabilities, TELNET weak passwords, and 0DAY vulnerabilities. Common vulnerabilities exploited by this botnet include CVE-2013-3307 and CVE-2016-20016, among others.
Botnet operators frequently showcase their prowess on social media platforms to attract potential customers and intimidate competitors. The AIRASHI botnet capitalized on this strategy, demonstrating its impressive attack capabilities ranging from 1-3 Tbps.
The AIRASHI botnet is a formidable force in the world of cyber threats, targeting various industries globally with its advanced functionalities. These include DDoS attacks, operating system command execution, and proxy services. The latest version of the botnet communicates with the C2 server using SOCKS5 proxies, employing a switch-case structure for different stages of operation.
AIHASHI, a malware family encompassing AIRASHI-DDoS, Go-Proxisdk, and AIRASHI-Proxy, uses RC4 for string decryption with a 16-byte key. These variants share some similarities with AISURU, using a custom protocol with HMAC-SHA256 for message integrity verification and CHACHA20 for encryption.
According to XLab, AIRASHI-DDoS supports 13 message types, including various commands like confirm login, heartbeat, start attack, and reverse shell. On the other hand, AIRASHI-Proxy is limited to supporting just five message types. It’s crucial for organizations to stay vigilant against these evolving threats.
To detect potential attempts to exploit 0-day vulnerabilities affecting cnPilot routers, security experts have developed a Snort rule. This rule helps identify malicious traffic by searching for specific keywords within network packets, such as “execute_script” and “sys_list.” By deploying this rule in intrusion detection systems, organizations can actively monitor network traffic for signs of exploitation and mitigate risks proactively.
In conclusion, the threat landscape is constantly evolving, with cybercriminals leveraging advanced techniques to exploit vulnerabilities and wreak havoc. It’s imperative for organizations to adopt robust security measures and stay informed about emerging threats to safeguard against potential cyber attacks.