"Most sophisticated" Torii botnet targeting IoT devices

Avast's threat labs team has discovered “the most sophisticated botnet that they have ever seen” and it is targeting IoT devices.

The new IoT malware strain/botnet, that the firm has codenamed Torii, has spread over poorly secured telnet services with the attack stemming from Tor exit nodes.

Payload delivery

According to Avast, the infection chain begins with a telnet attack on the weak credentials of targeted devices followed by the execution of an initial shell script. The script tries to discover the architecture of the targeted device and once this is complete it attempts to download the appropriate payload for the devices (binary files in the ELF format).

The core functionality of these payloads is to install an inner ELF with the first ELF file. This is the second stage executable which is highly persistent and uses at least six methods to ensure the ELF file remains on the device and is always running. After this, the inner ELF is executed to deliver the second stage payload, a fully-fledged bot capable of executing commands from its master CnC server.

Threat details

Torii has yet to be used in either DDoS attacks or for cryptojacking. Instead, the malware steals data from IoT devices and allows attackers to execute code remotely which could allow them to run any command on the infected machines. However, the malware is capable of fetching and executing other commands using multiple layers of encryption.

Torii is one of the most sophisticated malware strains ever observed by Avast. In addition to sharing information regarding infected devices, the malware's communication with the CnC server allows its authors to execute any code or deliver any payload to an infected device. This suggests that Torii could become a modular platform for future use.

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.