IoT botnet exploiting two zero-day flaws in Tenda routers

The Ttint botnet is based heavily on the Mirai malware and includes 12 protocols for remote access

Botnet graphic

Attackers have spread a Remote Access Trojan (RAT) based on the Mirai malware to create a botnet by exploiting two zero-day vulnerabilities in routers manufactured by Tenda.

The botnet, dubbed Ttint, targets routers specifically and is based on code from the Mirai botnet-spreading malware. This malware was found to receive ten Mirai distributed denial of service (DDoS) attack instructions, as well as 12 remote control instructions, according to researchers with Netlab.

The team first detected hackers using the first of two zero-day vulnerabilities to spread samples of the malware. The flaw, tagged as CVE-2018-14558, was disclosed publicly for the first time in July by researchers with Independent Security Evaluators.

Netlab saw the second Tenda router zero-day vulnerability, tagged as CVE-2020-10987, being exploited to spread Ttint samples in August this year. The team subsequently reported the details of this flaw, as well as the proof-of-concept, although the manufacturer has not yet responded.

Ttint samples were compared during these two periods of emergence and the researchers found the command and control (C2) instructions were exactly the same, albeit with some differences in the vulnerability, cipher key and C2 protocol.

“The conventional Mirai variants normally focus on DDoS, but this variant is different,” according to Netlab’s report. ”In addition to DDoS attacks, it implements 12 remote access functions such as Socket5 proxy for router devices, tampering with router DNS, setting iptables, executing custom system commands.

“In addition, at the C2 communication level, it uses the WSS (WebSocket over TLS) protocol. Doing this can circumvent the typical Mirai traffic detection at the traffic level, and it also provides secure encrypted communication for C2.”

While Ttint is a botnet, the 12 different remote access methods stand it apart from most other botnets, with hackers using the routers as proxies to relay traffic, tamper with firewall and DNS settings, and execute commands remotely.

When running, Ttint deletes its own files, manipulates the watchdog and prevents the device from restarting. The malware also runs on a single instance by binding to the port, and modifies the process name to confused the user. Finally, it establishes a connection with the decrypted C2 server and reports device information. From this point, it waits for the C2 server to issue instructions and it executes corresponding attacks.

Related Resource

The state of data protection and cloud

The challenge of providing effective enterprise data protection

Download now

In terms of the infrastructure, the attacker first used a Google cloud service IP and then switched to a hosting provider in Hong Kong. When researchers looked up the website certificate, sample, domain name and IP in its DNSmon system, it was able to see more infrastructure IPs, samples and further C2 domain names.

Neither zero-day flaw has been patched, according to Netlab. IT Pro has approached Tenda for a comment and is awaiting a response.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Microsoft spearheads industry-wide charter against AI cyber attacks
Security

Microsoft spearheads industry-wide charter against AI cyber attacks

23 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
CMS platforms succumb to KashmirBlack botnet as businesses rush online
Security

CMS platforms succumb to KashmirBlack botnet as businesses rush online

22 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
How to wipe a laptop easily and securely
Security

How to wipe a laptop easily and securely

5 Oct 2020