Airashi and Aisuru Botnets use multiple CVEs to gain access to vulnerable devices

Disclaimer: I do not endorse using or development of botnets.

Image generated by DALL-E

Nicholas Howland, 1/26/2025

In my other articles I talk about botnets and how they store credentials and target devices. There seems to be a lot of botnet activity in the past couple weeks surrounding the Airashi, Murdoc, and MikroTik adjacent botnets. I looked at the Airashi botnet later in this post but did not dig into the Murdoc and MikroTik botnets which I have seen MikroTik commands being used on honeypots quite often.

Some of the commonalities of these botnets are they target publicly accessible IoT devices and PLC controllers because of the nature of these devices to be insecure by default, having difficult or no patching procedures, using default credentials, or just kind of being forgotten about. It also seems all roads lead back to Mirai when it comes to botnet source code, the Mirai botnet was one that had its source code published and many of the methods if not the entire source code itself copied and pasted into more recent botnets. Most of these botnets want to do is either mine crypto and participate in DDoS attacks.

Recent News about Mirai

The largest DDoS attack on record lasted around 80 seconds and pushed 5.6 Tbps of data using UDP and originated from around 13000 IoT devices (Cloudflare Q4) very likely to be infected by the Mirai Botnet. Akami published a blog post about how DigiEver DS-2015 Pro DVRs were being used to spread an named Mirai variant. An exploit of the CGI bin pages is used against the 10 year old systems to download the malware and infect the device. They include some of the indicators of compromise as well as premade snort rules to detect the C2 IPs and Domains as well as some Yara rules for on host detection (Akami). As we see over and over again vulnerable routers are getting enlisted into botnets after vulnerabilities are published for them, like earlier in this month the Four-Faith Router vulnerability was used by a Mirai botnet to infect devices (The Hacker News Jan 08)

AIRASHI botnet

Airashii is a Japanese word that means lovely, adorable, charming or pretty. AIRASHI is a variant of the AISURU aka NAKOTNE botnet. The CVEs used to compromise these devices primarily target authentication circumvention and remote command execution vulnerabilities. The Airashi DDoS supports 13 message types, remains stable at 1-3 Tbps of traffic against targets, and uses peer to peer communication, and has encoded strings taunting security researchers who publish signatures and research that helps expose how the botnets operate ( QiAnXin XLab ). QiAnXin XLab did not want to post more about the zero day or other vulnerabilities that were being used to stop wide spread use/abuse (The Hacker News Jan 22). The Broadcom protection bulletin stattes that the use of weak telnet credentials are used to compromise devices as well (Broadcom)

List of targeted devices named in the nist cve listings. Linksys X3000, MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, Tenda AC7 devices, TOTOLINK A3002RU-V2.0.0 B20190814.1034, DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices, GitLab, WiFiber 120AC inMesh, Nexxt Amp300 ARN02304U8, Zyxel ZyWALL/USG, as well as AVTECH IP cameras, LILIN DVRs, and Shenzhen TVT devices

The list of CVEs: https://www.tenable.com/cve/CVE-2013-3307 https://nvd.nist.gov/vuln/detail/cve-2016-20016 https://nvd.nist.gov/vuln/detail/cve-2017-5259 https://nvd.nist.gov/vuln/detail/cve-2018-14558 https://nvd.nist.gov/vuln/detail/CVE-2020-25499 https://nvd.nist.gov/vuln/detail/cve-2020-8515 https://nvd.nist.gov/vuln/detail/CVE-2022-40005 https://nvd.nist.gov/vuln/detail/CVE-2022-44149 https://nvd.nist.gov/vuln/detail/cve-2023-28771

AISURU botnet

Arashi is a Japanese word that means storm. This botnet was first identified in June 2020 targeting the Steam gaming service. According to a Forescout report botnet downloaders using the name Aisuru were seen compromising exposed programmable logic controllers by using default credentials (Forescout).

Grinch Bots

This was a side note and not really like any of the other botnets I discuss earlier in this article but wanted to cover it because I thought it was interesting from a human perspective. There are bots that will crawl websites and purchase items before people can complete their orders much like the Grinch steals Christmas presents the botnet operators steal joy by buying inventory faster than any human can. (Cloudflare 2021) and (Cloudflare 2024)

References

(Akami) Kyle Lefton, Daniel Messing, and Larry Cashdollar, (December 19th 2024). DigiEver Fix That IoT Thing! https://www.akamai.com/blog/security-research/digiever-fix-that-iot-thing

(The Hacker News Jan 08) Ravie Lakshmanan. (Jan 08, 2025) Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks. https://thehackernews.com/2025/01/mirai-botnet-variant-exploits-four.html

(Cloudflare Q4) Omer Yoachimik, Jorge Pacheco. (2025-01-21). Record-breaking 5.6 Tbps DDoS attack and global DDoS trends for 2024 Q4. https://blog.cloudflare.com/ddos-threat-report-for-2024-q4/

(Forescout) Amine Amri, Sai Molige, Daniel dos Santos, and Forescout Research. (October 22, 2024). ICS Threats: Malware Targeting OT? It’s More Common Than You Think. https://www.forescout.com/blog/targeting-ot-security-ics-threats-malware/

(QiAnXin XLab) Wang Hao, Alex.Turing, daji, Acey9. (Retrieved: 1/25/2025). More details on the DDoS attack on the (Black Myth: Wukong) distribution platform. https://blog.xlab.qianxin.com/more_ddos_details_on_steam_en/

(The Hacker News Jan 22) Ravie Lakshmanan. (Jan 22, 2025) Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet. https://thehackernews.com/2025/01/hackers-exploit-zero-day-in-cnpilot.html

(Broadcom) Broadcom. (January 20, 2025) AIRASHI - a large scale DDoS botnet. https://www.broadcom.com/support/security-center/protection-bulletin/airashi-a-large-scale-ddos-botnet

(Cloudflare 2021) Solomon, Ben. (2021-12-03). The Grinch Bot is Stealing Christmas! http://blog.cloudflare.com/grinch-bot/

(Cloudflare 2024) Avi Jaisinghani, Adam Martinetti, Brian Mitchell (2024-12-23). Grinch Bots strike again: defending your holidays from cyber threats. https://blog.cloudflare.com/grinch-bot-2024/