Ayysshush Botnet Implants Persistent Ssh Backdoor In Asus Routers

A new threat campaign, dubbed “AyySSHush”, has compromised over 9,000 ASUS routers worldwide. Discovered by GreyNoise and publicized in late May 2025, the operation leverages CVE-2023-39780 and other authentication bypass techniques to implant persistent SSH backdoors. The operation uses stealth tactics typical of APT actors, including abuse of legitimate system features, and may signal the formation of a covert, distributed botnet infrastructure.

Severity Level: High

THREAT OVERVIEW:

1. Threat Name: AyySSHush Botnet.
2. Technique: Chained brute-force, authentication bypass, command injection.
3. Attackers exploit a command injection flaw (CVE-2023-39780) in ASUS routers.
4. Persistent access is established via SSH keys stored in non-volatile memory.
5. Over 9,000 devices are confirmed compromised as of May 27, 2025.
6. Indicators point to nation-state-level sophistication.
7. Affected Regions: Global
8. Affected Products/Versions: ASUS Router Models RT-AC3100, RT-AC3200, RT-AX55 and Older ASUS firmware versions vulnerable to CVE-2023-39780.

ATTACK FLOW:

1. Reconnaissance and Target Identification:
   • The attacker scans for ASUS routers online, especially models like RT-AX55, RT-AC3100, and RT-AC3200 with out-of-box configurations.
   • Targets routers exposing admin interfaces and TCP port 53282.
2. Initial Access: Technique: Brute-force login and authentication bypass.
   • Tries default or weak credentials via /login.cgi endpoint.
   • Employs null byte injection (asus_token=0x00) to bypass authentication.
   • Exploits CVE-2023-39780, a command injection vulnerability in ASUS firmware (start_apply.htm).
3. Command Injection and Privilege Escalation: Technique: HTTP POST to vulnerable endpoints.
   • POSTs malicious payloads to AiProtection_HomeProtection.asp and other endpoints.
   • This creates the file /tmp/BWSQL_LOG, which activates TrendMicro’s BWDPI logging, a vector used later for persistent access.
4. Establish Persistence: Technique: SSH backdoor injection.
   • Enables SSH server (sshd_enable=1) on high port TCP/53282.
   • Adds attacker-controlled SSH public key via legitimate ASUS firmware settings.
   • Because this configuration uses official router features, it survives firmware upgrades.
5. C2-like Access and Post-Exploitation: Technique: Remote shell access via SSH.
   • The attacker connects remotely using the private key corresponding to the injected pubkey.
   • Capable of spawning shell listeners (e.g., via netcat), modifying firewall or DNS settings, and potentially pivoting to internal networks.
6. Covering Tracks and Re-entry: Technique: Persistence beyond patching.
   • Exploits legitimate system functions (e.g., AiProtection logic).
   • Uses command injection patterns that are hard to detect (format string vulnerabilities, misuse of system() calls).
   • Can be reactivated even after patches unless the config is reset or public keys are manually removed.

Recommendations:

1. It is recommended to update affected ASUS Router Models to the latest firmware version as soon as possible.
2. Look for suspicious files and the addition of the attacker’s SSH key on the ‘authorized_keys’ file:
   AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZJ8L5mzhhaxfGzpHR8Geay/xDlVDSJ8MJwA4RJ7o21KVfRXqFblQH4L6fWIYd1ClQbZ6Kk1uA1r7qx1qEQ2PqdVMhnNdHACvCVz/MPHTVebtkKhEl98MZiMOvUNPtAC9ppzOSi7xz3cSV0n1pG/dj+37pzuZUpm4oGJ3XQR2tUPz5MddupjJq9/gmKH6SJjTrHKSECe5yEDs6c3v6uN4dnFNYA5MPZ52FGbkhzQ5fy4dPNf0peszR28XGkZk9ctORNCGXZZ4bEkGHYut5uvwVK1KZOYJRmmj63drEgdIioFv/x6IcCcKgi2w== rsa 2048
   If a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed.
3. Check ASUS routers for SSH access on TCP/53282.
4. Review the authorized_keys file for unauthorized entries.
5. If compromise is suspected, perform a full factory reset and reconfigure manually.
6. Block the IOCs at their respective controls.
   https://www.virustotal.com/gui/collection/507294413196d202923f156c5d62f6513b0df114de6778163b2df004832a711c/iocs

Source:

• https://www.bleepingcomputer.com/news/security/botnet-hacks-9-000-plus-asus-routers-to-add-persistent-ssh-backdoor/
• https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers
• https://www.labs.greynoise.io/grimoire/2025-03-28-ayysshush/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.