Netlab observed a new IoT botnet exploits two Tenda router 0-day vulnerabilities to install a Remote Access Trojan (RAT).
The botnet dubbed Ttint was found to be active since November 2019, along with DDoS capabilities it includes 12 remote access functions.
Attackers used following Tenda router 0-day vulnerability (CVE-2018-14558 & CVE-2020-10987) to distribute the Ttint samples.
The Tint remote access Trojan based on Mirai code, it includes 10 Mirai DDoS attack instructions & 12 control instructions such as Socket5 proxy for router devices, tampering with router DNS, setting iptables, executing custom system commands.
Once the Ttint gets executed “it deletes its files, manipulates the watchdog, and prevents the device from restarting, it runs as a single instance by binding the port; then modifies the process name to confuse the user; it finally establishes a connection with the decrypted C2, Reporting device information.”
Ttint Bot supports for 22 commands, 10 DDoS commands inherited from Mirai, and 12 new commands.
| ID | INSTRUCTION |
|---|---|
| 0 | attack_udp_generic |
| 1 | attack_udp_vse |
| 2 | attack_udp_dns |
| 9 | attack_udp_plain |
| 3 | attack_tcp_flag |
| 4 | attack_tcp_pack |
| 5 | attack_tcp_xmas |
| 6 | attack_grep_ip |
| 7 | attack_grep_eth |
| 10 | attack_app_http |
| 12 | run “nc” command |
| 13 | run “ls” command |
| 15 | Execute system commands |
| 16 | Tampering with router DNS |
| 18 | Report device information |
| 14 | Config iptables |
| 11 | run “ifconfig” command |
| 17 | Self-exit |
| 19 | Open Socks5 proxy |
| 20 | Close Socks5 proxy |
| 21 | Self-upgrade |
| 22 | Reverse shell |
According to Netlab analysis, “the attacker first used a Google cloud service IP, and then switched to a hosting provider in Hong Kong.”
All the communication with the C2 server is encrypted and for communication, it uses WSS (WebSocket over TLS) protocol.
As with any new technology, IoT promises to be the future of the Internet, bringing better connectivity and ease of use of the devices we use, but as these two botnet attacks show, an equal amount of stress must be placed on security.
Tenda router users are recommended to check their device firmware and make the necessary update, here you can find the IoCs.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
Obfuscated malware presents one of the most challenging threats in cybersecurity today. As static analysis…
DNS tunneling represents one of the most sophisticated attack vectors targeting enterprise networks today, leveraging…
Cloud adoption has transformed organizations' operations but introduces complex security challenges that demand proactive leadership…
A federal whistleblower has accused the Department of Government Efficiency (DOGE) of orchestrating a major…
In today’s threat landscape, cybersecurity is no longer confined to firewalls and encryption it’s a…
Microsoft has reported significant strides in thwarting financial fraud across its ecosystem. From April 2024…
![](data:image/svg+xml;charset=utf-8,<svg height="400px" width="1000px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
