Avast's threat labs team has discovered “the most sophisticated botnet that they have ever seen” and it is targeting IoT devices.
The new IoT malware strain/botnet, that the firm has codenamed Torii, has spread over poorly secured telnet services with the attack stemming from Tor exit nodes.
- We've also highlighted the best antivirus
Payload delivery
According to Avast, the infection chain begins with a telnet attack on the weak credentials of targeted devices followed by the execution of an initial shell script. The script tries to discover the architecture of the targeted device and once this is complete it attempts to download the appropriate payload for the devices (binary files in the ELF format).
The core functionality of these payloads is to install an inner ELF with the first ELF file. This is the second stage executable which is highly persistent and uses at least six methods to ensure the ELF file remains on the device and is always running. After this, the inner ELF is executed to deliver the second stage payload, a fully-fledged bot capable of executing commands from its master CnC server.
Threat details
Torii has yet to be used in either DDoS attacks or for cryptojacking. Instead, the malware steals data from IoT devices and allows attackers to execute code remotely which could allow them to run any command on the infected machines. However, the malware is capable of fetching and executing other commands using multiple layers of encryption.
Torii is one of the most sophisticated malware strains ever observed by Avast. In addition to sharing information regarding infected devices, the malware's communication with the CnC server allows its authors to execute any code or deliver any payload to an infected device. This suggests that Torii could become a modular platform for future use.
