The botnet dubbed Ttint was found to be active because November 2019, along with DDoS capabilities it includes 12 remote access functions.
Netlab observed a brand-new IoT botnet makes use of 2 Tenda router 0-day vulnerabilities to install a Remote Gain access to Trojan (RAT).
Ttint IoT Botnet Attack
Attackers used list below Tenda router 0-day vulnerability (CVE-2018-14558 & & CVE-2020-10987) to disperse the Ttint samples.
The Tint remote access Trojan based on Mirai code, it consists of 10 Mirai DDoS attack directions & & 12 control directions such as Socket5 proxy for router gadgets, tampering with router DNS, setting iptables, executing custom system commands.
Ttint Bot supports for 22 commands, 10 DDoS commands inherited from Mirai, and 12 new commands.
When the Ttint gets performed “it deletes its files, manipulates the watchdog, and prevents the gadget from rebooting, it runs as a single circumstances by binding the port; then modifies the process name to confuse the user; it finally establishes a connection with the decrypted C2, Reporting device info.”
ID
INSTRUCTION
0
attack_udp_generic
1
attack_udp_vse
2
attack_udp_dns
9
attack_udp_plain
3
attack_tcp_flag
4
attack_tcp_pack
5
attack_tcp_xmas
6
attack_grep_ip
7
attack_grep_eth
10
attack_app_http
12
run “nc” command
13
run “ls” command
15
Execute system commands
16
Tampering with router DNS
18
Report gadget details
14
Config iptables
11
run “ifconfig” command
17
Self-exit
19
Open Socks5 proxy
20
Close Socks5 proxy
21
Self-upgrade
22
Reverse shell
According to Netlab analysis, “the assailant initially used a Google cloud service IP, and then changed to a hosting supplier in Hong Kong.”
All the communication with the C2 server is encrypted and for communication, it utilizes WSS (WebSocket over TLS) procedure.
Tenda router users are suggested to examine their gadget firmware and make the essential upgrade, here you can find the IoCs.
You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity and hacking news updates.
Just like any new innovation, IoT guarantees to be the future of the Internet, bringing much better connectivity and ease of use of the gadgets we utilize, but as these 2 botnet attacks reveal, an equivalent amount of tension should be put on security.