Friday, March 29, 2024

Torii Botnet – A New Sophisticated IoT Botnet Attack in Wide – More Powerful Than Mirai

Most Sophisticated Torii Botnet discovered that spreading with more advanced techniques than famous Mirai Botnet but different than Mirai functionality.

Malware Authors developed Torii botnet with more stealthy and persistence capabilities unlike other botnets it doesn’t perform attacks such as DDOS or other attacks such take down the connected devices.

But this will compromise the victim’s network and steal the sensitive information and execute the command in order to perform various malicious activities through stong layered communication.

Researchers discovered that Torii botnet will support a wide range of target architectures, including MIPS, ARM, x86, x64, PowerPC, SuperH, etc.

Initially, it was hit in a telnet honeypot which is discovered by a security researcher, @VessOnSecurity who said, telnet attacks have been coming to his honeypot from Tor exit nodes so that it was named as “Torii”.

Torii Botnet Infection Process

Intially, Attack process starts by executing the Shellscript which is more sophisticated than normal botnets via telnet attack on the weak credentials.

Later it will trying to find out the architecture of the target by attempts to download payload for that device, interestingly Torii supports various device architectures including on x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, PPC .

Mainly it attempt to compromise wide range of common architecture based IoT devices and it used to download many binary payload using several commands.

Torii Botnet using a bash script in order to redirect the infected victims device into malware hosted server.

Once the maware findout the architecture of the target device it downloads and executes the appropriate binary from the server and the payload will perfom only to download the second level of payload.

Both First and second stange of payload using XOR-based encryption and the second stage of payload alsoremain highly persistance which contain 6 methods to make sure the file remains on the device and always runs.

Also Second stage of payload is main contain the bot future that will communcate with its command & control sever to execute the command, also it have some futures such as anti-debugging techniques, data exfiltration, multi-level encryption of communication and many other evasion techniques.

According to logs that analyze by Avast, a total of 592 unique clients were downloading files from this server over a period of a few days. It’s important to remember that once the target device receives the payload, it stops connecting to the download server and connects to the CnC serve to get connect and perform based on it.

Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before. Avast said.

Also Read:

New Form of Mirai Malware Attacking Cross Platform By leveraging Open-Source Project

Mirai Based Botnet “OMG” Turns IoT Device into a Proxy Server

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles