Ttint IoT Botnet - Threat Intelligence Advisory

###### Attack Vector Network
###### Malware Type Remote Access Trojan
###### Category IoT Botnet
###### Target Tenda Router AC15 AC1900
###### Affected Industry All (hardware specific exploit)

Mirai and Mutants

Mirai malware scans the Internet for IoT devices that run on the Argonaut RISC Core (ARC) processor, which runs a stripped down version of the Linux OS. This malware has all the capabilities of a virus/worm/Trojan. A few well known variants of Mirai that are in the wild are Okiru, Satori, Masuta and PureMasuta. Mirai started its operations in the latter part of 2016, and published its source code which led to the inception of various mutants or variants in the wild. Mirai targeted mostly service providers.

Ttint

Ttint is an IoT botnet based on Mirai source code, with added functionalities of command execution and intranet roaming via compromised routers, unlike Mirai that normally orchestrates DDoS attacks. This variant of Mirai uses the following custom control functions as well:

  • SOCKS5 proxy for routers
  • Router DNS tampering at router level
  • Custom IP tables for traffic redirection
  • Custom system command execution
  • WebSocket over TLS [WSS] protocol for C2 communication
  • Reverse Shell
  • Self Upgrade

Exploiting 0-day

Ttint exploits two vulnerabilities, of which one was patched recently (CVE-2020-10987) and the other one remains undisclosed and unpatched. The vulnerability that was patched recently (CVE-2020-10987) targets Tenda routers AC15 AC1900, which allows attackers to execute arbitrary system commands via the “deviceName” POST parameter.

Read more here : https://cloudsek.com/threatintelligence/ttint-iot-botnet-threat-intel-advisory/

4 Likes

CVSS Score 9.8 :confused:

1 Like