Ttint IoT botnet exploits 2 zero-days to spread RAT

Ttint IoT botnet exploits 2 zero-days to spread RAT

A new IoT botnet dubbed Ttint now targets two Tenda router 0-day vulnerabilities to spread a Remote Access Trojan (RAT) based on Mirai botnet source code.

Previous botnets have long been known to focus on distributed denial of service (DDoS) attacks. However, researchers from Netlab have discovered Ttint botnet has added remote access tool (RAT) capabilities.

“The conventional Mirai variants normally focus on DDoS, but this variant is different. In addition to DDoS attacks, it implements 12 remote access functions such as Socket5 proxy for router devices, tampering with router DNS, setting iptables, executing custom system commands,” Netlab explained in a blog post.

Furthermore, Ttint also leverages WebSocket over TLS (WSS) protocol as part of its command control (C2) communication.

As a result, the C2 traffic can evade detection as Mirai traffic from many security monitoring tools.

Zero-day vulnerabilities

The Netlab security experts first detected last November two Tenda zero-day vulnerabilities (CVE-2018-14558 and CVE-2020-10987). The threat actors exploited the first vulnerability to spread Ttint malware samples.

On August 21, 2020, Netlab researchers spotted hackers exploiting the second zero-day vulnerability. Soon afterwards, Netlab reported details of the vulnerability and proof of concept (PoC) on August 28 to the router maker Tenda.

Custom control functions

After reverse analysis, the security experts from Netlab identified the following custom control functions were used in combination by Ttint to achieve specific attack goals:

  • Enable Socket5 proxy service (open/close)
  • Tamper with router DNS
  • Configure iptables (for traffic forwarding and target address conversion)
  • Implement a reverse shell through socket
  • Self-upgrade via download URL
  • Self-exit (by binding to port 57322)
  • Hidden network channel with C2 (via nc tool)
  • Report device information (OS, CPU, IP, etc.)
  • Execute system commands (via popen function)
  • Uses WebSocket over TLS protocol for C2 communication.
  • Supports “go live” packet (to get payload in clear text via XOR calculation).

Furthermore, the Ttint botnet supports 22 kinds of C2 commands in total — 10 DDoS attack commands from Mirai and 12 new commands.

Finally, Netlab recommend users update their Tenda routers with the necessary updates and also monitor/block related malware indicators of compromises (IoCs).

Readers can also check out articles listed below for related Mirai and other botnet threats.

Related Articles