A New Mirai based IoT RAT Spreading Through 2 0-day Vulnerabilities

https://gbhackers.com/ttint-iot-botnet/

The botnet dubbed Ttint was found to be active because November 2019, along with DDoS capabilities it includes 12 remote access functions.

Netlab observed a brand-new IoT botnet makes use of 2 Tenda router 0-day vulnerabilities to install a Remote Gain access to Trojan (RAT).

Ttint IoT Botnet Attack

Attackers used list below Tenda router 0-day vulnerability (CVE-2018-14558 & & CVE-2020-10987) to disperse the Ttint samples.

The Tint remote access Trojan based on Mirai code, it consists of 10 Mirai DDoS attack directions & & 12 control directions such as Socket5 proxy for router gadgets, tampering with router DNS, setting iptables, executing custom system commands.

Ttint Bot supports for 22 commands, 10 DDoS commands inherited from Mirai, and 12 new commands.

When the Ttint gets performed “it deletes its files, manipulates the watchdog, and prevents the gadget from rebooting, it runs as a single circumstances by binding the port; then modifies the process name to confuse the user; it finally establishes a connection with the decrypted C2, Reporting device info.”

ID
INSTRUCTION

0
attack_udp_generic

1
attack_udp_vse

2
attack_udp_dns

9
attack_udp_plain

3
attack_tcp_flag

4
attack_tcp_pack

5
attack_tcp_xmas

6
attack_grep_ip

7
attack_grep_eth

10
attack_app_http

12
run “nc” command

13
run “ls” command

15
Execute system commands

16
Tampering with router DNS

18
Report gadget details

14
Config iptables

11
run “ifconfig” command

17
Self-exit

19
Open Socks5 proxy

20
Close Socks5 proxy

21
Self-upgrade

22
Reverse shell

According to Netlab analysis, “the assailant initially used a Google cloud service IP, and then changed to a hosting supplier in Hong Kong.”

All the communication with the C2 server is encrypted and for communication, it utilizes WSS (WebSocket over TLS) procedure.

Tenda router users are suggested to examine their gadget firmware and make the essential upgrade, here you can find the IoCs.

You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity and hacking news updates.

Just like any new innovation, IoT guarantees to be the future of the Internet, bringing much better connectivity and ease of use of the gadgets we utilize, but as these 2 botnet attacks reveal, an equivalent amount of tension should be put on security.