Sophisticated ViciousTrap Hackers Compromise 12,000 ASUS Routers in Persistent Botnet Campaign

Security researchers have uncovered a sophisticated botnet operation that has successfully infiltrated thousands of ASUS wireless routers, establishing persistent backdoor access that survives system restarts and firmware updates. The compromised devices may now be operating as part of an extensive operational relay box (ORB) infrastructure - a distributed network comprising virtual private servers and hijacked smart devices.

Cybersecurity analysts at Greynoise first detected the botnet activity in mid-March, observing malicious code spreading across vulnerable and inadequately secured ASUS networking equipment. The attack methodology combined elementary intrusion techniques - exploiting default passwords and known security flaws - with highly advanced persistent mechanisms that bypass integrated security systems and employ living-off-the-land tactics for deep system embedding. The research team designated this malware strain "AyySSHush."

The investigation gained additional complexity when Sekoia researchers released findings about a threat group compromising thousands of edge networking devices from multiple manufacturers, including Linksys, D-Link, QNAP, Araknis Networks, and ASUS. While not definitively linking the campaigns, Greynoise analysts believe with high confidence that the same actor, identified by Sekoia as "ViciousTrap," orchestrates both operations.

"This operation aimed to establish an extensive ORB infrastructure," explains Bob Rudis, Greynoise's vice president of data science. "ORB networks typically indicate involvement by highly sophisticated threat actors - either well-resourced criminal organizations or nation-state entities."

Attack Methodology and Technical Details

The AyySSHush malware employs straightforward initial compromise techniques against Internet-facing routers, utilizing credential brute-force attacks or exploiting documented authentication bypass vulnerabilities. Notably, some login bypass methods used lack official CVE designations.

After gaining administrative privileges, the malware systematically dismantles "AiProtection" - ASUS's Trend Micro-powered security framework. The attack specifically leverages CVE-2023-39780, a command injection vulnerability from nearly two years ago rated 8.8 on the CVSS scale.

The malware exploits this command injection capability to insert a specially-named empty file designed to activate the "Bandwidth SQLite Logging" (BWDPI) function. A critical vulnerability in BWDPI enables the malware to execute arbitrary system commands with elevated privileges.

With complete device control established, the malware implements its most cunning persistence mechanism: modifying device configurations to maintain permanent SSH access. This critical modification gets stored in non-volatile memory (NVRAM), ensuring survival through firmware updates and power cycles.

"When detection occurs and standard cleanup attempts are made, the code stored in non-volatile RAM provides a pathway for reactivation and continued network participation," Rudis clarifies. Greynoise strongly recommends complete factory resets for affected devices due to this persistence mechanism.

Evolving Threat Landscape

"Defending against these attackers is becoming exponentially more challenging," Rudis observes. Traditional security measures like regular patching and cybersecurity best practices may prove insufficient. "Organizations might need to consider replacing routers every two years with newer models from reputable manufacturers, as maintaining security for these devices has become extremely difficult."

Infection Statistics and Response Efforts

Greynoise initiated collaborative response efforts with government and industry stakeholders on March 23rd. At peak activity, the botnet had successfully compromised approximately 12,000 Internet-connected routers. Despite the deep-rooted nature of the backdoors, infected device numbers have substantially decreased. Current Censys scanning reveals just over 8,500 compromised hosts.

"Either the attackers abandoned the operation, or law enforcement agencies intervened with takedown actions," Rudis speculates. "I'm confident it wasn't device owners independently cleaning their systems."

"Based on three decades of experience in this field, end users rarely implement security patches after vulnerability disclosure," he notes with frustration, highlighting the persistent challenge of consumer device security maintenance.