Greynoise said that its in-house AI Tool, Sift, had green aimed to disable the suspected traffic and default a trendmichro-powered security feature, aiprotection, asus router.
Trojan
Asus’ Aiprotection, developed with trendmichro, is an underlying, enterprise-grade security suit for its router, using cloud-based intelligence that offers real-time danger detection, malware blocking and prevention of infiltration.
After achieving administrative access to the router, by exploiting the weaknesses of either cruel-forming or “Login. COS” known authentication bypass-a web-based administrator interface, the attackers explores a certified command injection injection defect (CVE-2023-39780), which is a vacant file /TP /TP /BWSQL to make a vacant file.
By doing this, a component of BWDPI (bidish web data packet inspection) logging feature, asus’ Aiprotection Suite is activated, aimed at inspecting incoming and outgoing traffic. With the logging on, the attackers can feed the (malicious) payload prepared in the router traffic, as BWDPI does not mean to handle arbitrary data.
In this particular case, the attackers use it to enable SSH on a non-standard port and connect their own keys, creating a backdoor backdoor. “Because this key is added using official asus features, it remains in the configure change firmware upgrade,” Graynoise researchers said. “If you have been exploited earlier, SSH will not remove the backdoor by upgrading your firmware.”
While Greynoise did not specify a special CVE used as a certification bypass for early access, ASUS recently accepted an important certification bypass vulnerability, which was tracked as CVE-2025-2492, which affects Rautter with AICLOD facility.
