Experts from the Chinese company Qihoo 360 discovered a new IoT botnet Ttintwhich is quite interesting from a technical point of view and has RAT functions.
Ttint is different from most of these botnets. For example, it not only infects devices and then uses them for DDoS attacks, but it can provide remote access to compromised routers in twelve different ways, uses devices as proxy servers to relay traffic, changes firewall and DNS settings, and also allows attackers execute remote commands on infected devices.
Researchers discovered the botnet in November 2019 when Ttint began to abuse the 0-day vulnerability (CVE-2020-10987) in Tenda routers. This bug was exploited by the malware until July 2020, when the experts of the Independent Security Evaluators published a detailed report, in which they talked about both this problem and four others.
Tenda engineers still haven't released patches for the bugs they found, but the Ttint operators did not wait until the fixes were released, instead they switched to exploiting another zero-day vulnerability in Tenda routers in advance.
Qihoo 360 analysts have not released detailed information on this problem, fearing that other botnets will also take advantage of it. It is reported that there are no fixes for it either, although the Tenda developers have already been notified of what is happening.
The researchers write that any Tenda router with firmware versions AC9 to AC18 should be considered vulnerable. Since Ttint spoofs DNS settings on infected devices and seems to redirect users to malicious sites, it is highly discouraged to use problematic routers for now.
Like many other malware of this kind, Ttint is built on the basis of the source code of the Mirai IoT malware, which was leaked into the public domain back in 2016. Since then, many different threats have been built on these sources, and all botnet operators have tried to bring something new to the code. Radware experts who reviewed Ttint celebratethat the creators of the malware also tried their best to eventually create one of the most complex IoT malware at the moment.
Radware says that Ttint is essentially nothing new, but botnet operators are combining functions in new ways and ultimately have developed a real Swiss knife of IoT. In particular, malware for IoT devices rarely has RAT functionality, and in terms of complexity, Ttint can be compared only with the well-known VPNfilter malware.
"The emergence of Ttint may mark the beginning of the maturation of IoT malware, which will be used more widely in more complex campaigns," Radware experts suggest.