Does this botnet affect RMerlin firmware?

[Ltvscout]

New KadNap botnet hijacks ASUS routers to fuel cybercrime proxy network

A newly discovered botnet malware called KadNap is targeting ASUS routers and other edge networking devices to turn them into proxies for malicious traffic.

www.bleepingcomputer.com

 

[ColinTaylor]

The server hosting the malware appears to be offline (or blocked).

 

[heysoundude]

The server hosting the malware appears to be offline (or blocked).

Works for me.

Lumen - isn’t that the company in the TV show Severance?

 

[killweav]

Lumen owns my ISP and according to the article has already blocked it. Banned the IP of the script host anyway.

 

[dave14305]

There used to be a time when @Adamm would update Skynet to add detection for known malware IOCs. Some ancient ones still exist in the script, but nothing new in a while. I think the asd daemon started to confuse Skynet as the malware due to the presence of the detection strings in the script.

 

[CornfieldWin]

14,000 member botnet of ASUS routers, very hard to disinfect. Not good.

The article does not indicate the exploits used or the fixes other than update now and update often which really explains nothing by itself.

 

[Viktor Jaep]

Here's a summary incase anyone is looking for more info:

Initial Access:
KadNap gains initial access via credential stuffing against SSH or ASUS router administrative web interfaces—no specific CVE exploitation has been confirmed.

The following Indicators of Compromise (IOCs) have been identified:

Malicious Script: aic.sh downloaded from 212.104.141[.]140
Malware Binary: kad (ELF file) stored in /jffs/.asusrouter

C2 & Peer Nodes:
45.135.180.38
45.135.180.177

Command-and-Control (C2) Infrastructure:
212.104.141[.]140 (primary staging host)

Additional Files:
fwr.sh
/tmp/.sose

Key Behaviors:
Establishes hourly cron job persistence.
Blocks SSH port 22 to prevent remediation.
Uses a custom Kademlia DHT protocol to hide C2 infrastructure.
Communicates via peer-to-peer (P2P) network to evade detection.

Remediation:
Perform a hard factory reset on the ASUS router.
Update to the latest firmware.
Disable remote management on the WAN interface.
Change default admin credentials.
Monitor for unusual outbound traffic.

Lumen Technologies has blocked traffic to the C2 infrastructure for its customers and shared IOCs publicly via GitHub for broader defense.

CISO Briefing: KadNap Botnet — Kademlia DHT C2 Evasion on ASUS Edge Devices

KadNap Botnet: Kademlia DHT C2 Evasion on ASUS Edge Devices Analysis of a P2P Router Botnet Powering the Doppelgänger Criminal Proxy Service Classification: Executive Brief Date: March 11, 202…

labs.cloudsecurityalliance.org

AGAIN, lesson for those to make sure you've hardened your perimeter. Don't expose SSH or web admin access to the internet. Exposed services are the Achilles heel to many of these compromises.