"Most sophisticated" Torii botnet targeting IoT devices

Avast's threat labs team has discovered “the most sophisticated botnet that they have ever seen” and it is targeting IoT devices.

The new IoT malware strain/botnet, that the firm has codenamed Torii, has spread over poorly secured telnet services with the attack stemming from Tor exit nodes.

Payload delivery

According to Avast, the infection chain begins with a telnet attack on the weak credentials of targeted devices followed by the execution of an initial shell script. The script tries to discover the architecture of the targeted device and once this is complete it attempts to download the appropriate payload for the devices (binary files in the ELF format).

The core functionality of these payloads is to install an inner ELF with the first ELF file. This is the second stage executable which is highly persistent and uses at least six methods to ensure the ELF file remains on the device and is always running. After this, the inner ELF is executed to deliver the second stage payload, a fully-fledged bot capable of executing commands from its master CnC server.

Threat details

Torii has yet to be used in either DDoS attacks or for cryptojacking. Instead, the malware steals data from IoT devices and allows attackers to execute code remotely which could allow them to run any command on the infected machines. However, the malware is capable of fetching and executing other commands using multiple layers of encryption.

Torii is one of the most sophisticated malware strains ever observed by Avast. In addition to sharing information regarding infected devices, the malware's communication with the CnC server allows its authors to execute any code or deliver any payload to an infected device. This suggests that Torii could become a modular platform for future use.

TOPICS
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Close up of a person touching an email icon.
Criminals are using CSS to get around filters and track email usage
DeepSeek on a mobile phone
More US government departments ban controversial AI model DeepSeek
Ransomware
Fortinet firewall bugs are being targeted by LockBit ransomware hackers
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
NordProtect logo
Standalone identity theft protection from Nord Security is now available
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
Ofcom cracks down on UK tech firms, will issue sanctions for illegal content
Latest in News
Perplexity Squid Game Ad
New ad declares Squid Game's real winner is Perplexity AI
Frank Grimes confronts Homer Simpson in The Simpsons' Homer's Enemy episode
Disney+ adds a new continuous Simpsons stream, so you no longer have to spend ages choosing an episode
Helly and Mark standing on an artificial hill surrounded by goats in Severance season 2 episode 3
New Apple teaser for Severance season 2 finale suggests we might finally find out what Lumon is doing with those goats, and I don't think it's anything good
Foldable iPhone
Apple’s first foldable iPhone could beat the Samsung Galaxy Z Fold 7 in one key way
Marvel Rivals
Marvel Rivals' next update will add two new hero skins for Iron Man and Spider-Man mains this week
Nvidia Isaac GROOT N1
“The age of generalist robotics is here" - Nvidia's latest GROOT AI model just took us another step closer to fully humanoid robots