According to researchers at 360 Netlab, a subsidiary of the Chinese cybersecurity firm Qihoo 360, a recent Mirai-based botnet targets zero-day vulnerabilities in Tenda routers.
The Remote Access Trojan (RAT) Dubbed Ttint has distributed denial of service capability, much as every Mirai offspring does, but also incorporates 12 remote access features, including a Socket5 proxy, DNS and iptables router update, and device commands running.
Ttint uses the WSS (WebSocket over TLS) protocol for communication with the command and control (C&C) server, and also uses encryption, in order to bypass identification of standard traffic created by Mirai botnets.
In November 2019, when the attackers began exploiting the first zero-day flaw in Tenda routers (CVE-2020-10987), the botnet ‘s operation was initially detected. In August 2020, the second error began to be abused, but 360 Netlab claims the provider did not respond to its emails disclosing the vulnerability.
“In the two cycles, we analysed and compared Ttint samples and found that their C2 instructions were almost the same, but they had some changes in the 0-day vulnerability used, XOR Key, and C2 protocol,” says 360 Netlab.
Ttint has a reasonably basic nature, the researchers claim, where it deletes its own files while running, modifies the name of its operation, manipulates the debugger, and can avoid restarts of the system. After forming a C&C link, it sends information about the system and continues to wait for instructions.
The malware has many of the previously found features in Mirai, such as a random process name, configuration information encryption, support for several DDoS attack vectors, or the fact that there is only one instance of malware running at a time. Unlike Mirai, however, it uses the Websocket protocol.
Features introduced in Ttint allow attackers to access the intranet of the router remotely, hijack network access to potentially steal confidential data, set traffic forwarding rules, and exploit a reverse shell as a local shell. The malware can also repair itself or disable its own device, and can execute C&C-issued commands.
A total of 22 commands, including several to initiate DDoS attacks, are supported by the threat.
Users of Tenda routers are encouraged to search their devices for firmware and ensure that available updates are installed if necessary. They can also track the relevant IoCs exchanged by 360 Netlab and block them.