30 C
Jaipur
Saturday, October 31, 2020

A New Mirai based IoT RAT Spreading Through 2 0-day Vulnerabilities

Must read

How to Play PUBG Mobile in Restricted Regions

PUBG Mobile is one of the best battle royale games and has a community all over the world. Its Classic Deathmatch is pretty popular...

Reliance Jio Becomes First Telco to Cross 400 Million Subscribers in India

At its latest earnings call on Saturday, India’s largest wireless carrier, Reliance Jio, announced that its subscriber base has now crossed 400 million (40...

How to Enable Apple One Subscription on Your iPhone

Apple One subscription just went live and now you can subscribe to them on your iPhone. I like the fact that Apple has made...

Netlab observed a new IoT botnet exploits two Tenda router 0-day vulnerabilities to install a Remote Access Trojan (RAT).

The botnet dubbed Ttint was found to be active since November 2019, along with DDoS capabilities it includes 12 remote access functions.

Ttint IoT Botnet Attack

Attackers used following Tenda router 0-day vulnerability (CVE-2018-14558 & CVE-2020-10987) to distribute the Ttint samples.

The Tint remote access Trojan based on Mirai code, it includes 10 Mirai DDoS attack instructions & 12 control instructions such as Socket5 proxy for router devices, tampering with router DNS, setting iptables, executing custom system commands.

Once the Ttint gets executed “it deletes its files, manipulates the watchdog, and prevents the device from restarting, it runs as a single instance by binding the port; then modifies the process name to confuse the user; it finally establishes a connection with the decrypted C2, Reporting device information.”

Ttint Bot supports for 22 commands, 10 DDoS commands inherited from Mirai, and 12 new commands.

ID INSTRUCTION
0 attack_udp_generic
1 attack_udp_vse
2 attack_udp_dns
9 attack_udp_plain
3 attack_tcp_flag
4 attack_tcp_pack
5 attack_tcp_xmas
6 attack_grep_ip
7 attack_grep_eth
10 attack_app_http
12 run “nc” command
13 run “ls” command
15 Execute system commands
16 Tampering with router DNS
18 Report device information
14 Config iptables
11 run “ifconfig” command
17 Self-exit
19 Open Socks5 proxy
20 Close Socks5 proxy
21 Self-upgrade
22 Reverse shell

According to Netlab analysis, “the attacker first used a Google cloud service IP, and then switched to a hosting provider in Hong Kong.”

All the communication with the C2 server is encrypted and for communication, it uses WSS (WebSocket over TLS) protocol.

As with any new technology, IoT promises to be the future of the Internet, bringing better connectivity and ease of use of the devices we use, but as these two botnet attacks show, an equal amount of stress must be placed on security.

Tenda router users are recommended to check their device firmware and make the necessary update, here you can find the IoCs.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

How to Play PUBG Mobile in Restricted Regions

PUBG Mobile is one of the best battle royale games and has a community all over the world. Its Classic Deathmatch is pretty popular...

Reliance Jio Becomes First Telco to Cross 400 Million Subscribers in India

At its latest earnings call on Saturday, India’s largest wireless carrier, Reliance Jio, announced that its subscriber base has now crossed 400 million (40...

How to Enable Apple One Subscription on Your iPhone

Apple One subscription just went live and now you can subscribe to them on your iPhone. I like the fact that Apple has made...

Apple One Launched In India: Plans, Pricing, And Everything You Need To Know

The bundled Apple services subscription plan, Apple One, has been launched in India. The country gets the Individual and Family plan options, priced at...