Saturday, February 15, 2025
HomeBotnetAIRASHI Botnet Exploiting 0-Day Vulnerabilities In Large Scale DDoS Attacks

AIRASHI Botnet Exploiting 0-Day Vulnerabilities In Large Scale DDoS Attacks

Published on

SIEM as a Service

Follow Us on Google News

AISURU botnet launched a DDoS attack targeting Black Myth: Wukong distribution platforms in August 2024 that leveraged a 0DAY vulnerability on cnPilot routers and used RC4 encryption for sample strings. 

After a brief pause in September, the botnet reappeared in October with the name kitty and was updated again in November as AIRASHI. 

The current AIRASHI variant uses ChaCha20 encryption for CNC communication with HMAC-SHA256 verification and boasts rich IP resources for the CNC server that make it resilient to takedown attempts. 

AI-RASHI botnet spreads through NDAY vulnerabilities, TELNET weak passwords, and 0DAY vulnerabilities. It exploits various vulnerabilities, including CVE-2013-3307, CVE-2016-20016, etc. 

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Botnet operators often showcase their attack capabilities through social media platforms to attract potential customers or intimidate competitors. The AIRASHI botnet uses this exact method to prove its attack capabilities, which are around 1-3 Tbps.

attack capability demonstration
attack capability demonstration

The AIRASHI botnet is a DDoS botnet that targets various industries globally by frequently updating and has multiple versions with functionalities including DDoS attacks, operating system command execution, and proxy services. 

The latest version communicates with the C2 server through SOCKS5 proxies using username jjktkegl and password 2bd463maabw5, which is not encrypted and uses a switch-case structure for handling different stages. 

It sends heartbeat packets every 2 minutes and receives commands from the C2 server in the format of cmdtype+payload, while DDoS commands include a new AttckID field. 

Decryption of Strings
Decryption of Strings

AIHASHI is a malware family that includes AIRASHI-DDoS, Go-Proxisdk, and AIRASHI-Proxy. AIRASHI-DDoS and AIRASHI-Proxy use RC4 for string decryption with a 16-byte key and share some commonalities with AISURU. 

They use a custom protocol with HMAC-SHA256 for message integrity verification and CHACHA20 for encryption that involves key negotiation, key confirmation, sending a startup packet and check-in confirmation. 

According to XLab, AIRASHI-DDoS supports 13 message types, including get net key, confirm net key, confirm login, heartbeat, start attack, exit, killer report, exec command, and reverse shell. 

On the other hand, AIRASHI-Proxy is only capable of supporting five different types of messages, which include get net key, confirm net key, confirm login, heartbeat, and an unknown format. 

Check-In Confirmation
Check-In Confirmation

The Snort rule detects potential attempts to exploit a 0-day vulnerability affecting cnPilot routers that identifies malicious traffic by searching for specific keywords like “execute_script,” “sys_list,” and “ASPSSIONID” within network packets. 

To gain unauthorized access to the router and possibly compromise the system, these keywords are indicative of commands that are frequently used by attackers. 

Deploying this rule in the user intrusion detection system (IDS) or intrusion prevention system (IPS) will help them to monitor network traffic for signs of this exploit and proactively mitigate the risk of successful attacks.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...