<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Routers - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/routers/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/routers/feed.xml" rel="self" type="application/rss+xml"/><item><title>KadNap Botnet Targeting Asus Routers</title><link>https://feed.craftedsignal.io/briefs/2024-01-30-kadnap-botnet/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-30-kadnap-botnet/</guid><description>The KadNap botnet is delivering malicious payloads targeting Asus routers, indicated by specific SHA256 hashes of MIPS and ARM binaries.</description><content:encoded><![CDATA[<p>The KadNap botnet is actively spreading malware to Asus routers, potentially compromising network security and enabling further malicious activities. Discovered on 2026-03-13, this botnet uses specifically compiled payloads for MIPS and ARM architectures, indicating a focus on embedded devices like routers. The botnet activity can allow attackers to perform a range of actions, including data theft, network exploitation, and use of the compromised devices for distributed denial-of-service (DDoS) attacks. Identifying and blocking these payloads is crucial to prevent further infection and mitigate the impact of the KadNap botnet.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies vulnerable Asus routers with default or weak credentials exposed to the internet.</li>
<li>The attacker attempts to brute-force or exploit known vulnerabilities in the router's web interface or other exposed services.</li>
<li>Upon successful authentication or exploitation, the attacker gains remote access to the router's command line interface (CLI).</li>
<li>The attacker downloads the KadNap payload, either the MIPS or ARM variant, depending on the router's architecture, using <code>wget</code> or <code>curl</code>.</li>
<li>The attacker executes the downloaded payload, granting the KadNap botnet access to the router's resources.</li>
<li>The KadNap payload establishes a connection to a command-and-control (C2) server, receiving instructions and sending back information.</li>
<li>The compromised router is now part of the KadNap botnet, and can be used to launch DDoS attacks, scan for other vulnerable devices, or perform other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful KadNap infections can lead to significant disruption of network services, data theft, and compromised devices being used as part of a larger botnet for DDoS attacks or other malicious activities. The number of affected devices is currently unknown, but targeting Asus routers indicates a broad potential impact on home and small business networks.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Create file integrity monitoring rules to detect the presence of the KadNap payloads based on their SHA256 hashes: <code>0b3dbb951de7a216dd5032d783ba7d0a5ecda2bf872643c3a4ddd1667fb38ffe</code> and <code>ebf9de6b67e94b2bd2b0dcda1941e04fef1a1dad830404813e468ab8744b7ed8</code>.</li>
<li>Implement the Sigma rule provided below to detect the download of suspicious binaries on network devices.</li>
<li>Monitor network traffic for connections originating from Asus routers to unusual or known malicious IP addresses (future enrichment).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>botnet</category><category>router</category><category>kadnap</category></item></channel></rss>