The botnet dubbed Ttint was found to be active because November 2019, along with DDoS capabilities it includes 12 remote access functions.
Netlab observed a brand-new IoT botnet makes use of 2 Tenda router 0-day vulnerabilities to install a Remote Gain access to Trojan (RAT).
Ttint IoT Botnet Attack
Attackers used list below Tenda router 0-day vulnerability (CVE-2018-14558 & & CVE-2020-10987) to disperse the Ttint samples.
The Tint remote access Trojan based on Mirai code, it consists of 10 Mirai DDoS attack directions & & 12 control directions such as Socket5 proxy for router gadgets, tampering with router DNS, setting iptables, executing custom system commands.
Ttint Bot supports for 22 commands, 10 DDoS commands inherited from Mirai, and 12 new commands.
When the Ttint gets performed “it deletes its files, manipulates the watchdog, and prevents the gadget from rebooting, it runs as a single circumstances by binding the port; then modifies the process name to confuse the user; it finally establishes a connection with the decrypted C2, Reporting device info.”
run “nc” command
run “ls” command
Execute system commands
Tampering with router DNS
Report gadget details
run “ifconfig” command
Open Socks5 proxy
Close Socks5 proxy
According to Netlab analysis, “the assailant initially used a Google cloud service IP, and then changed to a hosting supplier in Hong Kong.”
All the communication with the C2 server is encrypted and for communication, it utilizes WSS (WebSocket over TLS) procedure.
Tenda router users are suggested to examine their gadget firmware and make the essential upgrade, here you can find the IoCs.
You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity and hacking news updates.
Just like any new innovation, IoT guarantees to be the future of the Internet, bringing much better connectivity and ease of use of the gadgets we utilize, but as these 2 botnet attacks reveal, an equivalent amount of tension should be put on security.