Sophisticated IoT Botnet Torii Uses 6 Persistence Methods

Security researchers have uncovered a new botnet targeting Linux-based devices that’s more sophisticated than Mirai and most other IoT botnets observed so far.

Researchers from antivirus vendor Avast have dubbed the new botnet Torii because its method of propagation is through Telnet brute-force attacks that are routed through the Tor anonymity network.

AWS Builder Community Hub

Security researcher Vesselin Bontchev, known on Twitter as VessOnSecurity, was the first to spot the new malware after one of his honeypots caught it. Researchers from Avast later jumped in and took the investigation further.

According to their preliminary findings, the botnet can infect a wide range of devices that use many CPU architectures: MIPS, ARM, x86, x64, PowerPC, SuperH, Motorola 68k and more with various bit widths and endianness. It’s one of the largest sets of architectures supported by a single malware program that Avast has seen to date.

If the Telnet attack is successful, the malware executes a shell script that tries to download an architecture-specific payload using several commands typically supported on embedded platforms. The download is attempted over both HTTP and authenticated FTP.

The first-stage payload is a “dropper” whose main purpose is to download and install a second-stage payload. The dropper also establishes persistence for the secondary payload using not one, but six different techniques to ensure the malware starts after every device reboot. This routine is just one of the places where the Torii attackers proved they are not amateur malware developers and have a high familiarity with embedded platforms.

Like the dropper, the secondary payload also has binaries for different CPU architectures, but the functionality varies between the architecture-specific variants. That said, the common features include downloading and executing files from the command-and-control (CnC) server, executing shell commands and sending the output back to the attackers, reading files from local storage and sending their contents to the server, deleting files and downloading files from specified URLs.

Unlike most IoT botnets, the Torii malware uses anti-sandbox and other techniques that are meant to make analysis harder by security researchers. The communication with the CnC server is done over port 443, but is not actually HTTPS. Instead, the attackers implemented their own custom encrypted communication protocol.

The Avast researchers have managed to analyze the files stored on the download server used for Torii payload delivery. The access logs indicate that almost 600 unique IPs downloaded files from the server over a period of a few days. However, evidence based on past CnC domains suggests that the botnet has been in operation since at least December 2017.

“Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before,” the Avast researchers said. “Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the CnC, but by communicating with the CnC, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use.”

FBI Warns About Rise in RDP Attacks

The number of attacks over the Remote Desktop Protocol (RDP) has been on the rise since 2016, attackers using multiple ways to identify and exploit vulnerable RDP sessions, the Internet Crime Complaint Center (IC3) warns in a new alert.

“The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) recommend businesses and private citizens review and understand what remote accesses their networks allow and take steps to reduce the likelihood of compromise, which may include disabling RDP if it is not needed,” the alert reads.

Cybercriminals commonly sell and buy RDP access to computers on underground markets and this access is used to install malware. Several strains of ransomware that target businesses, including CrySiS, CryptON and Samsam are also known to spread over RDP.

The most common RDP failures are the use of weak passwords that are vulnerable to brute-force and dictionary-based attacks, the use of outdated versions with a weak encryption algorithm that’s vulnerable to man-in-the-middle attacks, allowing unrestricted access to the default RDP port (TCP 3389) and allowing unlimited logging attempts for RDP users.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin