Security researchers discovered a new IoT botnet that is in a league superior to the Mirai variants that rise and fall on a daily basis.
The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.
Communication with the command and control (C2) servers is encrypted and capabilities include exfiltration and, command execution.
According to research from Avast, the malware has been active since at least December 2017 and it targets devices on several CPU architectures: like MIPS, ARM, x86, x64, PowerPC, and SuperH.
Although multi-platform support is common among Mirai-based threats, the researchers say Torii supports one of the largest sets of architectures they've seen so far.
Reputed security researcher Dr. Vesselin Bontchev caught a sample of this malware in his Telnet honeypot. He noticed that the attack was on port 23 specific to Telnet, but the communication was tunneled through the Tor network, a detail that inspired Avast for the botnet name.
My honeypot just caught something substantially new. Spreads via Telnet but not your run-of-the-mill Mirai variant or Monero miner...— Vess (@VessOnSecurity) September 19, 2018
First stage is just a few commands that download a rather sophisticated shell script, disguised as a CSS file. (URL is still live.) pic.twitter.com/r5L0I8PC0h
Torii infects systems that have Telnet exposed and protected by weak credentials. It executes a sophisticated script that determines the architecture of the device, and uses multiple commands - 'wget,' 'ftpget,' 'ftp,' 'busybox wget,' or 'busybox ftpget' - to ensure delivery of binary payloads.
The script then downloads a first-stage payload for the architecture of the device, which is just a dropper for the second-stage payload, which is also persistent.
Torii is the third IoT botnet, after VPNFilter and Hide and Seek, to gain persistence on the infected device. This means that Torii survives system reboots and removing it is possible by resetting the the device to its default configuration.
"It uses at least six methods to make sure the file remains on the device and always runs. And, not just one method is executed – it runs all of them," the researchers discovered:
While the traffic to the C2 server is encrypted and carried through the TLS-specific port 443, the malware does not use the TLS protocol.
The information exchanged this way helps fingerprint the device, as the malware exfiltrated hostname, process ID, MAC addresses and system-related details.
The expected purpose of an IoT botnet is distributed denial-of-service or mining for cryptocurrencies but Torii does not show such intentions; at least for the moment.
Its functionality remains a mystery for now but the possibilities are numerous because it can be used to run any command on the infected device. Even more, the fact that it is written in GOP language allows it to be recompiled for a diverse array of devices.
"Taking into account that this file is running on a malware distribution machine, it is quite possible that it is a backdoor or even a service to orchestrate multiple machines," Avast surmises.
It is worth noting that although Torii shares some features with the Hide and Seek IoT botnet discovered in January by Bitdefender, the two are separate beasts.
Marco Ramilli of Yoroi cybersecurity company analyzed the malware and noticed similarities to the Persirai worm that exploited weaknesses in the UPnP protocol to infect IP cameras in May last year.