Zombies Never Die: Analysis of the Latest Situation of the Large Botnet AIRASHI

    Friday, January 24, 2025 In: Threat Research Print

    Date: 01/24/2025

    Severity: Medium

    Summary

    "Zombies Never Die: Analysis of the Latest Situation of the Large Botnet AIRASHI" discusses the evolution of the AISURU botnet, which launched a large-scale DDoS attack on Steam and Perfect World in August 2024. After halting its activities in September, the botnet was updated and renamed AIRASHI in November 2024. The AIRASHI botnet utilizes a Zero Day vulnerability in Cambium Networks' cnPilot router, encrypted communication protocols, and an extensive range of IPs across multiple countries to enhance its DDoS capabilities. The botnet has a stable DDoS attack capacity and employs advanced techniques like HMAC-SHA256 and chacha20 encryption to avoid detection. The botnet’s command-and-control (CNC) infrastructure is spread across 19 countries, making it difficult to dismantle.

    Indicators of Compromise (IOC) List

    URL/Domain

    xlabresearch.ru

    xlabsecurity.ru

    foxthreatnointel.africa

    IP Address

    190.123.46.21

    190.123.46.55

    95.214.52.167

    162.220.163.14

    Hash

    3c33aa8d1b962ec6a107897d80d34a5d0b99899e

0339415f8f3e2b1eb6b24ed08c3a311210893a6e

95c8073cc4d8b80ceddb8384977ddc7bbcb30d8c

12fda6d480166d8e98294745de1cfdcf52dbfa41

08b30f5ffa490e15fb3735d69545c67392ea24e9

c8b8bd5384eff0fe3a3a0af82c378f620b7dc625

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "foxthreatnointel.africa" or url like "foxthreatnointel.africa" or userdomainname like "xlabsecurity.ru" or url like "xlabsecurity.ru" or userdomainname like "xlabresearch.ru" or url like "xlabresearch.ru"

    Detection Query 2

    dstipaddress IN ("95.214.52.167","190.123.46.21","190.123.46.55","162.220.163.14") or ipaddress IN ("95.214.52.167","190.123.46.21","190.123.46.55","162.220.163.14") or publicipaddress IN ("95.214.52.167","190.123.46.21","190.123.46.55","162.220.163.14") or srcipaddress IN ("95.214.52.167","190.123.46.21","190.123.46.55","162.220.163.14")

    Detection Query 3

    sha1hash IN ("95c8073cc4d8b80ceddb8384977ddc7bbcb30d8c","0339415f8f3e2b1eb6b24ed08c3a311210893a6e","3c33aa8d1b962ec6a107897d80d34a5d0b99899e","c8b8bd5384eff0fe3a3a0af82c378f620b7dc625","12fda6d480166d8e98294745de1cfdcf52dbfa41","08b30f5ffa490e15fb3735d69545c67392ea24e9")

    Reference:

    https://blog.xlab.qianxin.com/large-scale-botnet-airashi/#ioc


    Tags

    MalwareBotnetDDoS AttacksAIRASHI

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.