Friday, December 1, 2023

A New Mirai based IoT RAT Spreading Through 2 0-day Vulnerabilities

Netlab observed a new IoT botnet exploits two Tenda router 0-day vulnerabilities to install a Remote Access Trojan (RAT).

The botnet dubbed Ttint was found to be active since November 2019, along with DDoS capabilities it includes 12 remote access functions.

Ttint IoT Botnet Attack

Attackers used following Tenda router 0-day vulnerability (CVE-2018-14558 & CVE-2020-10987) to distribute the Ttint samples.

The Tint remote access Trojan based on Mirai code, it includes 10 Mirai DDoS attack instructions & 12 control instructions such as Socket5 proxy for router devices, tampering with router DNS, setting iptables, executing custom system commands.

Once the Ttint gets executed “it deletes its files, manipulates the watchdog, and prevents the device from restarting, it runs as a single instance by binding the port; then modifies the process name to confuse the user; it finally establishes a connection with the decrypted C2, Reporting device information.”

Ttint Bot supports for 22 commands, 10 DDoS commands inherited from Mirai, and 12 new commands.

12run “nc” command
13run “ls” command
15Execute system commands
16Tampering with router DNS
18Report device information
14Config iptables
11run “ifconfig” command
19Open Socks5 proxy
20Close Socks5 proxy
22Reverse shell

According to Netlab analysis, “the attacker first used a Google cloud service IP, and then switched to a hosting provider in Hong Kong.”

All the communication with the C2 server is encrypted and for communication, it uses WSS (WebSocket over TLS) protocol.

As with any new technology, IoT promises to be the future of the Internet, bringing better connectivity and ease of use of the devices we use, but as these two botnet attacks show, an equal amount of stress must be placed on security.

Tenda router users are recommended to check their device firmware and make the necessary update, here you can find the IoCs.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

CISA Warns Hackers Exploiting Wastewater Systems Logic Controllers

In a disconcerting turn of events, cyber threat actors have set their sights on...

Zyxel Command Injection Flaws Let Attackers Run OS Commands

Three Command injection vulnerabilities have been discovered in Zyxel NAS (Network Attached Storage) products,...

North Korean Hackers Attacking macOS Using Weaponized Documents

Hackers often use weaponized documents to exploit vulnerabilities in software, which enables the execution...

Most Popular Websites Still Allow Users To Have Weak Passwords

The latest analysis shows that tens of millions of people are creating weak passwords...

Chrome Zero-Day Vulnerability That Exploited In The Wild

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles