Botnets Never Die: An Analysis of the Large Scale Botnet AIRASHI
Essential information
- Published
- 16/01/2025 11:06
- Modified
- 16/01/2025 12:00
- Tags
- 2025-01-16 CVE-2022-3573 airashi aisuru botnet chacha20 cnpilot ddos encryption hellokitty hmac-sha256 proxy rc4 vulnerability
- Related entities
- 2 vulnerabilities (cve), 9 observables, 1 intrusion sets (apt), 13 techniques (mitre), 3 malware, 6 others
Description
The AIRASHI botnet, an evolved version of AISURU, has been observed conducting large-scale DDoS attacks and exploiting vulnerabilities in various devices. It utilizes a 0DAY vulnerability in cnPilot routers for propagation and employs sophisticated encryption techniques for communication. The botnet demonstrates stable T-level DDoS capabilities, with attack capacity ranging from 1-3 Tbps. AIRASHI targets multiple industries globally, with a focus on China, the United States, Poland, and Russia. The botnet's samples are frequently updated, incorporating features such as proxy services and reverse shell functionality. Its communication protocol includes HMAC-SHA256 verification and ChaCha20 encryption. The operators mock security researchers through their choice of domain names.