The AISURU botnet which was first observed in August 2024 emerged as a potent threat to online services that culminates in a devastating DDoS attack that crippled the release of “Black Myth: Wukong” by targeting critical infrastructure of both Steam and Perfect World.
The attack was orchestrated with a focus on maximizing disruption and leveraging a multi-pronged approach that exploits vulnerabilities in a wide range of internet-connected devices, including routers and cameras to amass a formidable army of compromised machines.
From its initial iterations that relied on relatively basic exploitation techniques, it has rapidly evolved into more sophisticated variants, such as kitty, which introduced the use of SOCKS5 proxies to obscure communication with its command-and-control (C2) servers.
There is no doubt that the AIRASHI variant which represents a significant leap forward in terms of sophistication and resilience, is the definitive culmination of this evolution.
AIRASHI employs a robust security arsenal, incorporating advanced encryption techniques such as RC4 for string decryption and ChaCha20 for message encryption, while simultaneously leveraging HMAC-SHA256 to ensure the integrity of all communications.
It demonstrates a high degree of operational security by diversifying its C2 communication methods that utilize both DNS A records and TXT records, with the latter employing a combination of base64 encoding and ChaCha20 encryption to further obfuscate C2 addresses.
According to XLab, the continuous evolution, which is characterized by the rapid adoption of cutting-edge techniques and focus on evading detection underscores the dynamic and ever-evolving nature of the threat landscape and highlights the persistent challenge posed by sophisticated botnets like AISURU.
