Experts from the Chinese company Qihoo 360 discovered a new IoT botnet Ttint, which exploits 0-day vulnerabilities in Tenda routers for spreading malware and viruses. Experts find it very interesting from a technical point of view, as Ttint even has RAT functions.
Ttint is unique in some ways, at least significantly different from most similar botnets.
“It doesn’t just infect devices and then use them for DDoS attacks, but it can provide remote access to compromised routers in twelve different ways, uses devices as proxy servers to relay traffic, changes firewall and DNS settings, and allows attackers to perform remote commands on infected devices”, – said Qihoo 360 specialists.
Researchers discovered the botnet in November 2019 when Ttint began to abuse the 0-day vulnerability (CVE-2020-10987) in Tenda routers. Malware exploited this until July 2020, when experts from the Independent Security Evaluators published a detailed report, in which they talked about this problem and four others.
Tenda engineers still haven’t released patches for the bugs they found, but the Ttint operators did not wait until the fixes were released, instead they switched to exploiting another zero-day vulnerability in Tenda routers in advance.
Qihoo 360 analysts have not disclosed details of this problem, fearing that other botnets will also take advantage of it. It is reported that there are no fixes for it either, although the Tenda developers have already been notified of what is happening.
“Any Tenda router with firmware versions AC9 to AC18 should be considered vulnerable. Since Ttint spoofs DNS settings on infected devices and appears to redirect users to malicious sites, it is highly discouraged to use problematic routers for now”, — write the researchers.
Like many other malware of this kind, Ttint is built on the basis of the source code of the Mirai IoT malware, which leaked into the public domain back in 2016. Since then, many different threats have been built on these sources, and all botnet operators have tried to bring something new to the code.
Radware experts who studied Ttint note that the malware creators also did their best to create one of the most complex IoT malwares.
“The emergence of Ttint may mark the beginning of the maturation of IoT malware, which will be used more widely in more complex campaigns”, — suggest Radware experts.
Radware says that Ttint is essentially nothing new, but botnet operators are combining functions in new ways and ultimately have developed a real Swiss knife of IoT.
In particular, malware for IoT devices rarely has RAT functionality, and in terms of complexity, Ttint can be compared only with the well-known VPNfilter malware.
Let me remind you that, of course, botnets mainly use not IoT devices, but networks and computers, penetrating them through various vulnerabilities – for example, we wrote about the active exploitation of vulnerabilities in vBulletin by botnets.