Hunting Aisuru & Kimwolf: Traffic Patterns & Persistence Post-Takedown
It’s encouraging to see the international takedown of the Aisuru, Kimwolf, JackSkid, and Mossad botnets. However, we know from experience that disrupting the C2 infrastructure doesn't automatically sanitize the 3 million+ compromised IoT devices. The bots are likely still sitting on edge networks, waiting for new commands or attempting to reconnect to fallback domains.
I've been analyzing the Mossad variant specifically. It appears to be a heavily modified Mirai derivative that targets port 2323/TCP—a port often overlooked in standard firewall audits compared to 23/TCP. It also seems to be exploiting legacy vulnerabilities in specific SoC routers. We're still seeing scanners probing for CVE-2021-36260 (Hikvision) and even Realtek SDK vulnerabilities that were prominent last year.
For those looking to identify infected nodes on their network, keep an eye out for high-entropy DNS queries and traffic on non-standard ports. Here is a quick Python snippet to help scan local subnets for devices with Telnet/2323 open, which are prime candidates for reinfection:
import socket
import subprocess
import ipaddress
def check_port(ip, port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(1)
result = s.connect_ex((ip, port))
s.close()
return result == 0
def scan_subnet(subnet):
print(f"Scanning {subnet} for open ports 23 and 2323...")
network = ipaddress.ip_network(subnet)
for host in network.hosts():
if check_port(str(host), 23) or check_port(str(host), 2323):
print(f"[!] Potential IoT Bot found at: {host}")
# Example usage
scan_subnet("192.168.1.0/24")
We’ve updated our IDS signatures to look for the specific User-Agent strings associated with these botnets.
**Discussion Question:** For those managing MSPs or large corporate networks, are you proactively factory-resetting edge devices, or are you relying on network segmentation to contain potential DDoS participants?
Great snippet. We're seeing a lot of success simply by blocking inbound traffic to TCP/2323 and TCP/8080 at the perimeter. However, the real headache is the outbound traffic. We've implemented the following KQL query in Sentinel to catch the heartbeat attempts before they turn into outbound floods:
NetworkCommunicationEvents
| where DestinationPort in (2323, 8080)
| where RemoteIP has_any (" malicious_ip_list ")
| summarize count() by SourceIP, DestinationPort
It's catching a surprising amount of 'smart' plugs that users brought in from home.
From an MSP perspective, factory resets are a nightmare for clients because they lose custom configurations. We've been pushing out a scripted mitigation via our RMM tool instead. It disables Telnet completely on supported devices via the CLI and updates the admin password to a high-entropy random string stored in our vault. It's not a cure-all, but it stops the immediate reinfection while we wait for hardware replacements.
Don't forget that many of these IoT botnets also use UPnP to open ports dynamically. Even if you block 2323 manually, the malware might just open 48101 or something else via UPnP. I highly recommend disabling UPnP on the edge router entirely if you can afford the manual port forwarding management. It closes a massive vector for Mossad and its ilk.
To catch the bots attempting to reconnect to fallback C2 infrastructure, I recommend hunting for high-frequency DNS queries generated by the infected edge devices. Since Mirai variants often use domain generation algorithms (DGAs), monitoring for suspicious query patterns is effective.
Here is a basic KQL query for Microsoft Sentinel to spot these anomalies:
DnsEvents
| where TimeGenerated > ago(12h)
| where QueryType in ("A", "AAAA")
| summarize Count = count() by Name, ClientIP
| where Count > 50
| sort by Count desc
To complement the DNS hunting, don't overlook the 'heartbeat' intervals. These Mirai variants often send tiny, periodic packets to verify connectivity with C2s before executing payloads. We use Zeek to flag sessions with high packet counts but extremely low byte transfer on ports like 2323.
zeek event connection_state_remove(c: connection) { if ( c$duration > 2min && c$orig_pkts > 10 && c$orig$size < 200 && c$id$resp_p == 2323 ) { print fmt("Potential Botnet Heartbeat: %s", c$id$orig_h); } }
This helps identify infected devices even if they haven't successfully resolved a new domain yet.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access