Tuesday, February 27, 2024

Torii Botnet – A New Sophisticated IoT Botnet Attack in Wide – More Powerful Than Mirai

Most Sophisticated Torii Botnet discovered that spreading with more advanced techniques than famous Mirai Botnet but different than Mirai functionality.

Malware Authors developed Torii botnet with more stealthy and persistence capabilities unlike other botnets it doesn’t perform attacks such as DDOS or other attacks such take down the connected devices.

But this will compromise the victim’s network and steal the sensitive information and execute the command in order to perform various malicious activities through stong layered communication.

Researchers discovered that Torii botnet will support a wide range of target architectures, including MIPS, ARM, x86, x64, PowerPC, SuperH, etc.

Initially, it was hit in a telnet honeypot which is discovered by a security researcher, @VessOnSecurity who said, telnet attacks have been coming to his honeypot from Tor exit nodes so that it was named as “Torii”.

Torii Botnet Infection Process

Intially, Attack process starts by executing the Shellscript which is more sophisticated than normal botnets via telnet attack on the weak credentials.

Later it will trying to find out the architecture of the target by attempts to download payload for that device, interestingly Torii supports various device architectures including on x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, PPC .

Mainly it attempt to compromise wide range of common architecture based IoT devices and it used to download many binary payload using several commands.

Torii Botnet using a bash script in order to redirect the infected victims device into malware hosted server.

Once the maware findout the architecture of the target device it downloads and executes the appropriate binary from the server and the payload will perfom only to download the second level of payload.

Both First and second stange of payload using XOR-based encryption and the second stage of payload alsoremain highly persistance which contain 6 methods to make sure the file remains on the device and always runs.

Also Second stage of payload is main contain the bot future that will communcate with its command & control sever to execute the command, also it have some futures such as anti-debugging techniques, data exfiltration, multi-level encryption of communication and many other evasion techniques.

According to logs that analyze by Avast, a total of 592 unique clients were downloading files from this server over a period of a few days. It’s important to remember that once the target device receives the payload, it stops connecting to the download server and connects to the CnC serve to get connect and perform based on it.

Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before. Avast said.

Also Read:

New Form of Mirai Malware Attacking Cross Platform By leveraging Open-Source Project

Mirai Based Botnet “OMG” Turns IoT Device into a Proxy Server


Latest articles

ThreatHunter.ai Stops Hundreds of Attacks in 48 Hours: Fighting Ransomware and Nation-State Cyber Threats

The current large surge in cyber threats has left many organizations grappling for security...

WordPress Plugin Flaw Exposes 200,000+ Websites for Hacking

A critical security flaw has been identified in the Ultimate Member plugin for WordPress,...

Hackers Actively Hijacking ConnectWise ScreenConnect server

ConnectWise, a prominent software company, issued an urgent security bulletin on February 19, 2024,...

Heavily Obfuscated PIKABOT Evades EDR Protection

PIKABOT is a polymorphic malware that constantly modifies its code, making it hard to...

Anonymous Sudan Promoting New DDoS Botnet: Beware

It has come to light that a group known as Anonymous Sudan is actively...

Scattered Spider: Advanced Techniques for Launching High-Profile Attacks

Scattered Spider is a threat group responsible for attacking several organizations since May 2022...

8220 Hacker Group Attacking Linux & Windows Users to Mine Crypto

In a significant escalation of cyber threats, the 8220 Gang, a notorious Chinese-based hacker group, has intensified its attacks...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles