Most Sophisticated Torii Botnet discovered that spreading with more advanced techniques than famous Mirai Botnet but different than Mirai functionality.

Malware Authors developed Torii botnet with more stealthy and persistence capabilities unlike other botnets it doesn’t perform attacks such as DDOS or other attacks such take down the connected devices.

But this will compromise the victim’s network and steal the sensitive information and execute the command in order to perform various malicious activities through stong layered communication.

Researchers discovered that Torii botnet will support a wide range of target architectures, including MIPS, ARM, x86, x64, PowerPC, SuperH, etc.


Initially, it was hit in a telnet honeypot which is discovered by a security researcher, @VessOnSecurity who said, telnet attacks have been coming to his honeypot from Tor exit nodes so that it was named as “Torii”.

Torii Botnet Infection Process

Intially, Attack process starts by executing the Shellscript which is more sophisticated than normal botnets via telnet attack on the weak credentials.

Later it will trying to find out the architecture of the target by attempts to download payload for that device, interestingly Torii supports various device architectures including on x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, PPC .

Mainly it attempt to compromise wide range of common architecture based IoT devices and it used to download many binary payload using several commands.

Torii Botnet using a bash script in order to redirect the infected victims device into malware hosted server.

Once the maware findout the architecture of the target device it downloads and executes the appropriate binary from the server and the payload will perfom only to download the second level of payload.

Both First and second stange of payload using XOR-based encryption and the second stage of payload alsoremain highly persistance which contain 6 methods to make sure the file remains on the device and always runs.

Also Second stage of payload is main contain the bot future that will communcate with its command & control sever to execute the command, also it have some futures such as anti-debugging techniques, data exfiltration, multi-level encryption of communication and many other evasion techniques.

According to logs that analyze by Avast, a total of 592 unique clients were downloading files from this server over a period of a few days. It’s important to remember that once the target device receives the payload, it stops connecting to the download server and connects to the CnC serve to get connect and perform based on it.

Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before. Avast said.

Also Read:

New Form of Mirai Malware Attacking Cross Platform By leveraging Open-Source Project

Mirai Based Botnet “OMG” Turns IoT Device into a Proxy Server

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Please enter your comment!
Please enter your name here