Researchers have discovered a new botnet called “Torii” which differentiates itself from Mirai by its use of several sophisticated tactics.
Infosec expert @VessOnSecurity is the first to have discovered the new botnet:
My honeypot just caught something substantially new. Spreads via Telnet but not your run-of-the-mill Mirai variant or Monero miner…
First stage is just a few commands that download a rather sophisticated shell script, disguised as a CSS file. (URL is still live.) pic.twitter.com/r5L0I8PC0h
— Vess (@VessOnSecurity) September 19, 2018
Named for its use of Tor exit nodes to launch telnet attacks, Torii behaves differently than Mirai and QBot. Avast examined the threat and found that it stands out for its advanced techniques that make it stealthy and persistent. Chief among these tactics is the initial dropper’s use of at least six different methods to make Torii’s second-stage payload persistent. These include injecting code into ~\.bashrc and using the “@reboot” clause in crontab.
Upon successful execution, the second-stage payload does not launch distributed denial-of-service (DDoS) attacks or mine for cryptocurrencies like some of the well-known IoT botnets. Instead it leverages multiple levels of encrypted communication along with anti-analysis features to evade detection while exfiltrating data from the compromised machine.
That’s not all that sets Torii apart from Mirai and QBot. Researchers at Avast elaborated on this point in a blog post:
…Torii can infect a wide range of devices and it provides support for a wide range of target architectures, including MIPS, ARM, x86, x64, PowerPC, SuperH, and others. Definitely, one of the largest sets we’ve seen so far.
By analyzing the threat’s FTP server, the anti-virus provider also obtained another binary called “sm_packed_agent.” Researchers found no evidence that the it’s been used on the server at the time of discovery. But they did uncover a versatility in the binary that could enable attackers to send over additional remote commands and executables to the targeted device.
Avast’s analysis of Torii was ongoing as of this writing.
Disclosure of this threat comes just days after three men who operated and controlled the notorious Mirai botnet received five years of probation.