Security experts are warning of a new IoT botnet far more stealthy, persistent and advanced than Mirai and designed to compromise a wide range of device architectures.
Researcher @VessOnSecurity first tweeted about his discovery last week after detecting the threat via a honeypot. Although it spreads via Telnet and targets weak credentials on devices, “it’s not your run-of-the-mill Mirai variant or Monero miner,” he warned.
“It does not (yet) do the usual stuff a botnet does like DDOS, attacking all the devices connected to the internet, or, of course, mining cryptocurrencies,” explained Avast in a follow-up analysis.
“Instead, it comes with a quite rich set of features for exfiltration of (sensitive) information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication.”
Dubbed “Torii” by the firm, the threat first finds out the architecture of the targeted device, and downloads an appropriate payload — with MIPS, ARM, x86, x64, PowerPC, SuperH and more supported.
This payload is a dropped for the second stage. Meanwhile, Torii uses at least six methods to make sure the file remains on the device and always runs.
“The second stage payload is a full-fledged bot capable of executing commands from its master (CnC),” said Avast. “It also contains other features such as simple anti-debugging techniques, data exfiltration, multi-level encryption of communication, etc.”
Sean Newman, director at Corero Network Security, said Torii is “cashing in on the rapidly expanding global pool of IoT devices.”
“Its secret could be the large number of different platforms the code can support, which gives it the diversity needed to find enough devices that still use simple default username/password pairs,” he added. “Until IoT manufacturers solve the issue of shipping devices with the same default administrator credentials, it’s going to remain child’s play for cyber-criminals to leverage them for nefarious purposes.”