IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

IoT botnet exploiting two zero-day flaws in Tenda routers

The Ttint botnet is based heavily on the Mirai malware and includes 12 protocols for remote access

Attackers have spread a Remote Access Trojan (RAT) based on the Mirai malware to create a botnet by exploiting two zero-day vulnerabilities in routers manufactured by Tenda.

The botnet, dubbed Ttint, targets routers specifically and is based on code from the Mirai botnet-spreading malware. This malware was found to receive ten Mirai distributed denial of service (DDoS) attack instructions, as well as 12 remote control instructions, according to researchers with Netlab.

The team first detected hackers using the first of two zero-day vulnerabilities to spread samples of the malware. The flaw, tagged as CVE-2018-14558, was disclosed publicly for the first time in July by researchers with Independent Security Evaluators.

Netlab saw the second Tenda router zero-day vulnerability, tagged as CVE-2020-10987, being exploited to spread Ttint samples in August this year. The team subsequently reported the details of this flaw, as well as the proof-of-concept, although the manufacturer has not yet responded.

Ttint samples were compared during these two periods of emergence and the researchers found the command and control (C2) instructions were exactly the same, albeit with some differences in the vulnerability, cipher key and C2 protocol.

“The conventional Mirai variants normally focus on DDoS, but this variant is different,” according to Netlab’s report. ”In addition to DDoS attacks, it implements 12 remote access functions such as Socket5 proxy for router devices, tampering with router DNS, setting iptables, executing custom system commands.

“In addition, at the C2 communication level, it uses the WSS (WebSocket over TLS) protocol. Doing this can circumvent the typical Mirai traffic detection at the traffic level, and it also provides secure encrypted communication for C2.”

While Ttint is a botnet, the 12 different remote access methods stand it apart from most other botnets, with hackers using the routers as proxies to relay traffic, tamper with firewall and DNS settings, and execute commands remotely.

When running, Ttint deletes its own files, manipulates the watchdog and prevents the device from restarting. The malware also runs on a single instance by binding to the port, and modifies the process name to confused the user. Finally, it establishes a connection with the decrypted C2 server and reports device information. From this point, it waits for the C2 server to issue instructions and it executes corresponding attacks.

Related Resource

The state of data protection and cloud

The challenge of providing effective enterprise data protection

Download now

In terms of the infrastructure, the attacker first used a Google cloud service IP and then switched to a hosting provider in Hong Kong. When researchers looked up the website certificate, sample, domain name and IP in its DNSmon system, it was able to see more infrastructure IPs, samples and further C2 domain names.

Neither zero-day flaw has been patched, according to Netlab. IT Pro has approached Tenda for a comment and is awaiting a response.

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Recommended

Cyber security in the retail sector
cyber security

Cyber security in the retail sector

28 Sep 2022
Cyber security in manufacturing
Whitepaper

Cyber security in manufacturing

28 Sep 2022
CIO Priorities: 2020 vs 2023
Whitepaper

CIO Priorities: 2020 vs 2023

23 Sep 2022
The future of work is already here. Now’s the time to secure it.
Whitepaper

The future of work is already here. Now’s the time to secure it.

21 Sep 2022

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
The human brain is far more complex than AI researchers imagine
artificial intelligence (AI)

The human brain is far more complex than AI researchers imagine

17 Sep 2022
The cryptocurrency implosion shows we’re heading for the end
cryptocurrencies

The cryptocurrency implosion shows we’re heading for the end

29 Sep 2022