Security researchers discovered a new IoT botnet that is in a league superior to the Mirai variants that rise and fall on a daily basis.

The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.

Communication with the command and control (C2) servers is  encrypted and capabilities include exfiltration and, command execution.

According to research from Avast, the malware has been active since at least December 2017 and it targets devices on several CPU architectures: like MIPS, ARM, x86, x64, PowerPC, and SuperH.

Although multi-platform support is common among Mirai-based threats, the researchers say Torii supports one of the largest sets of architectures they've seen so far.

Telnet attacks coming through Tor

Reputed security researcher Dr. Vesselin Bontchev caught a sample of this malware in his Telnet honeypot. He noticed that the attack was on port 23 specific to Telnet, but the communication was tunneled through the Tor network, a detail that inspired Avast for the botnet name.

Torii infects systems that have Telnet exposed and protected by weak credentials. It executes a sophisticated script that determines the architecture of the device, and uses multiple commands - 'wget,' 'ftpget,' 'ftp,' 'busybox wget,' or 'busybox ftpget' - to ensure delivery of binary payloads.

Torii lands on IoT devices to stay

The script then downloads a first-stage payload for the architecture of the device, which is just a dropper for the second-stage payload, which is also persistent.

Torii is the third IoT botnet, after VPNFilter and Hide and Seek, to gain persistence on the infected device. This means that Torii survives system reboots and removing it is possible by resetting the the device to its default configuration.

"It uses at least six methods to make sure the file remains on the device and always runs. And, not just one method is executed – it runs all of them," the researchers discovered:

  1. Automatic execution via injected code into ~\.bashrc
  2. Automatic execution via “@reboot” clause in crontab
  3. Automatic execution as a “System Daemon” service via systemd
  4. Automatic execution via /etc/init and PATH. Once again, it calls itself "System Daemon"
  5. Automatic execution via modification of the SELinux Policy Management
  6. Automatic execution via /etc/inittab

Torii is versatile, has no definite purpose

While the traffic to the C2 server is encrypted and carried through the TLS-specific port 443, the malware does not use the TLS protocol.

The information exchanged this way helps fingerprint the device, as the malware exfiltrated hostname, process ID, MAC addresses and system-related details.

The expected purpose of an IoT botnet is distributed denial-of-service or mining for cryptocurrencies but Torii does not show such intentions; at least for the moment.

Its functionality remains a mystery for now but the possibilities are numerous because it can be used to run any command on the infected device. Even more, the fact that it is written in GOP language allows it to be recompiled for a diverse array of devices.

"Taking into account that this file is running on a  malware distribution machine, it is quite possible that it is a backdoor or even a service to orchestrate multiple machines," Avast surmises.

It is worth noting that although Torii shares some features with the Hide and Seek IoT botnet discovered in January by Bitdefender, the two are separate beasts.

Marco Ramilli of Yoroi cybersecurity company analyzed the malware and noticed similarities to the Persirai worm that exploited weaknesses in the UPnP protocol to infect IP cameras in May last year.


Related Articles:

Bushido-Powered DDoS Service Whipped Up from Leaked Code

Botnet of 20,000 WordPress Sites Infecting Other WordPress Sites

Digital Oscilloscope Comes with Backdoor Accounts, Old Software Components

Emotet Returns with Thanksgiving Theme and Better Phishing Tricks

Necurs Botnet Distributing Sextortion Email Scams