{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/routers/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Routers"],"_cs_severities":["high"],"_cs_tags":["botnet","router","kadnap"],"_cs_type":"advisory","_cs_vendors":["Asus"],"content_html":"\u003cp\u003eThe KadNap botnet is actively spreading malware to Asus routers, potentially compromising network security and enabling further malicious activities. Discovered on 2026-03-13, this botnet uses specifically compiled payloads for MIPS and ARM architectures, indicating a focus on embedded devices like routers. The botnet activity can allow attackers to perform a range of actions, including data theft, network exploitation, and use of the compromised devices for distributed denial-of-service (DDoS) attacks. Identifying and blocking these payloads is crucial to prevent further infection and mitigate the impact of the KadNap botnet.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies vulnerable Asus routers with default or weak credentials exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to brute-force or exploit known vulnerabilities in the router's web interface or other exposed services.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication or exploitation, the attacker gains remote access to the router's command line interface (CLI).\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the KadNap payload, either the MIPS or ARM variant, depending on the router's architecture, using \u003ccode\u003ewget\u003c/code\u003e or \u003ccode\u003ecurl\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded payload, granting the KadNap botnet access to the router's resources.\u003c/li\u003e\n\u003cli\u003eThe KadNap payload establishes a connection to a command-and-control (C2) server, receiving instructions and sending back information.\u003c/li\u003e\n\u003cli\u003eThe compromised router is now part of the KadNap botnet, and can be used to launch DDoS attacks, scan for other vulnerable devices, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful KadNap infections can lead to significant disruption of network services, data theft, and compromised devices being used as part of a larger botnet for DDoS attacks or other malicious activities. The number of affected devices is currently unknown, but targeting Asus routers indicates a broad potential impact on home and small business networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eCreate file integrity monitoring rules to detect the presence of the KadNap payloads based on their SHA256 hashes: \u003ccode\u003e0b3dbb951de7a216dd5032d783ba7d0a5ecda2bf872643c3a4ddd1667fb38ffe\u003c/code\u003e and \u003ccode\u003eebf9de6b67e94b2bd2b0dcda1941e04fef1a1dad830404813e468ab8744b7ed8\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided below to detect the download of suspicious binaries on network devices.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections originating from Asus routers to unusual or known malicious IP addresses (future enrichment).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-kadnap-botnet/","summary":"The KadNap botnet is delivering malicious payloads targeting Asus routers, indicated by specific SHA256 hashes of MIPS and ARM binaries.","title":"KadNap Botnet Targeting Asus Routers","url":"https://feed.craftedsignal.io/briefs/2024-01-30-kadnap-botnet/"}],"language":"en","title":"CraftedSignal Threat Feed - Routers","version":"https://jsonfeed.org/version/1.1"}