IoT botnet exploiting two zero-day flaws in Tenda routers

The Ttint botnet is based heavily on the Mirai malware and includes 12 protocols for remote access

Botnet graphic

Attackers have spread a Remote Access Trojan (RAT) based on the Mirai malware to create a botnet by exploiting two zero-day vulnerabilities in routers manufactured by Tenda.

The botnet, dubbed Ttint, targets routers specifically and is based on code from the Mirai botnet-spreading malware. This malware was found to receive ten Mirai distributed denial of service (DDoS) attack instructions, as well as 12 remote control instructions, according to researchers with Netlab.

The team first detected hackers using the first of two zero-day vulnerabilities to spread samples of the malware. The flaw, tagged as CVE-2018-14558, was disclosed publicly for the first time in July by researchers with Independent Security Evaluators.

Netlab saw the second Tenda router zero-day vulnerability, tagged as CVE-2020-10987, being exploited to spread Ttint samples in August this year. The team subsequently reported the details of this flaw, as well as the proof-of-concept, although the manufacturer has not yet responded.

Ttint samples were compared during these two periods of emergence and the researchers found the command and control (C2) instructions were exactly the same, albeit with some differences in the vulnerability, cipher key and C2 protocol.

“The conventional Mirai variants normally focus on DDoS, but this variant is different,” according to Netlab’s report. ”In addition to DDoS attacks, it implements 12 remote access functions such as Socket5 proxy for router devices, tampering with router DNS, setting iptables, executing custom system commands.

“In addition, at the C2 communication level, it uses the WSS (WebSocket over TLS) protocol. Doing this can circumvent the typical Mirai traffic detection at the traffic level, and it also provides secure encrypted communication for C2.”

While Ttint is a botnet, the 12 different remote access methods stand it apart from most other botnets, with hackers using the routers as proxies to relay traffic, tamper with firewall and DNS settings, and execute commands remotely.

When running, Ttint deletes its own files, manipulates the watchdog and prevents the device from restarting. The malware also runs on a single instance by binding to the port, and modifies the process name to confused the user. Finally, it establishes a connection with the decrypted C2 server and reports device information. From this point, it waits for the C2 server to issue instructions and it executes corresponding attacks.

Related Resource

The state of data protection and cloud

The challenge of providing effective enterprise data protection

Download now

In terms of the infrastructure, the attacker first used a Google cloud service IP and then switched to a hosting provider in Hong Kong. When researchers looked up the website certificate, sample, domain name and IP in its DNSmon system, it was able to see more infrastructure IPs, samples and further C2 domain names.

Neither zero-day flaw has been patched, according to Netlab. IT Pro has approached Tenda for a comment and is awaiting a response.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021