A recently discovered botnet has infected thousands of ASUS routers. The malware remains active even after rebooting or updating. It appears to register infected devices as part of a larger network of so-called ORBs. This is a distributed network of virtual private servers (VPS), hacked smart devices, and routers.
This is according to DarkReading. Researchers at Greynoise discovered in mid-March that a botnet was spreading via unpatched or poorly secured ASUS routers. In some cases, the malware gained easy access thanks to weak passwords or known vulnerabilities.
At the same time, it exhibited advanced features. It bypassed Trend Micro’s built-in security and used living-off-the-land techniques to embed itself deep in the system. Greynoise named the malware AyySSHush.
The situation became more complex when researchers at Sekoia recently reported that thousands of peripheral devices from Linksys, D-Link, QNAP, Araknis Networks, ASUS, and others had been compromised. Greynoise strongly suspects that the same actor is behind these campaigns. This is a group referred to by Sekoia as ViciousTrap.
According to Bob Rudis of Greynoise, the goal of the campaign is clear: to set up a large ORB network. Such networks are usually associated with organized cybercriminals or state actors, Rudis said.
Brute force attacks
AyySSHush uses simple methods for initial access: brute force attacks on the login screen or exploiting known vulnerabilities without CVE registration. Once the malware gains access, it attempts to undermine Trend Micro’s AiProtection security. Specifically, it targets CVE-2023-39780. This is an almost two-year-old vulnerability that allows system privileges to be obtained via command injection.
The malware creates an empty file that activates a logging function called Bandwidth SQLite Logging (BWDPI). A serious leak in BWDPI then allows arbitrary code to be executed as a system command.
The malware then changes settings to gain permanent SSH access. This change is stored in non-volatile memory (NVRAM), allowing it to remain active even after firmware updates and reboots. According to Rudis, this means that even if you remove the malware, part of it can return as long as the code stored in memory is reactivated. Greynoise therefore advises users to perform a full factory reset.
Rudis notes that it is becoming increasingly difficult to stop such attacks. Updates and good security practices are often sufficient, but if that no longer works, his advice is to purchase a new router with a better reputation every two years.
Thousands of routers remain vulnerable
On March 23, Greynoise joined forces with government and industry partners to combat the malicious network. At its peak, an estimated 12,000 routers were infected. That number has since fallen to just over 8,500, according to a recent search via Censys.
Rudis believes that either the attackers have withdrawn or government agencies have taken action to remove the threat. In any case, he does not believe that the router owners have solved the problem themselves. According to him, virtually no one patches their devices after receiving a warning, despite decades of experience in this field.