Avast's Threat Intelligence Team has uncovered a new IoT botnet malware strain which spreads itself by attacking MIPS, ARM, x86, x64, PowerPC, and SuperH devices via the Telnet TCP/IP protocol.
As reported by Avast's security researchers, Torii is making rounds around the Internet since December 2017, but it wasn't detected until last week when the research team noticed a new botnet strain using higher grade infection techniques than Mirai.
Botnets are large collections of Internet-connected devices, sometimes hundreds of thousands, compromised by threat actors using malware designed to make them easy to control and used in DDoS attacks, spam campaigns, or data theft.
Such malware strains are quite prevalent with at least twelve of them having been observed in the wild in the past ten years, from Zeus and Ramnit which managed to enslave over 3 million devices each, to Mirai, the "open source" botnet every wannabe hacker can mod and use to quickly build a DDoS farm.
What sets Torii apart from his brethren are his advanced techniques of staying stealthy using encrypted communication via TOR exit nodes as discovered by Dr. Vesselin Vladimirov Bontchev when Torii hit his telnet honeypot, as well as an easy to build on modular architecture coupled with a wide range of data exfiltration techniques.
Torii was also designed to infect multiple device architectures, ranging from run-of-the-mill x86 and x64 devices to more exotic MIPS, ARM, PowerPC, and SuperH, which hints at its creator being a highly knowledgeable threat actor, at least one pay grade above other IoT malware "developers."
Torii achieves persistence using six different methods and tries to be as stealthy as possible, even mimicking HTTPS traffic
After the initial infection, Torii will download the first payload of encrypted malicious binaries which act as droppers for the second stage of the infection and the tools to achieve persistence on the device via six different methods, all used to make the second stage as tough to remove as possible.
Once the second stage payload is downloaded and installed, the Torii-infected device becomes a bot controllable by the threat actor using commands sent via encrypted communication channels from the command-and-control (C&C) server, using the 443 TCP port to mimic HTTPS traffic.
Until now, the security researchers have uncovered ten different commands that can be sent from Torii's C&C servers, ranging from downloading and executing files from the control servers to running shell commands and transmitting the output back to the botnet master.
Torii will also send multiple packs of data to the C&C server when connecting, from the device's hostname and the MAC addresses of all its network interfaces to OS version, CPU info, and more.
As Avast's Threat Intelligence Team concluded, Torii has not yet been used in any botnet-like attacks such as DDoS or spam campaigns, nor does it try to spread itself by using compromised devices as to scan for more vulnerable machines.
Torii might be the next evolutionary step to an even more sophisticated, persistent and modular malware platform, with easy to expand capabilities and stealthy behavior making it a lot harder to detect and counter.