Torii Botnet - Not Another Mirai Variant (Sep 27, 2018)
A new Internet of Things (IoT) botnet has been observed in the wild that appears to differentiate itself from the better-known botnets such as Mirai and QBot. This malware has been dubbed “Torii,” by security researchers. The botnet initially infects a device by brute forcing default credentials or weak passwords. If it gains access, it executes a shell script that attempts to gather device architecture information that is used to download appropriate, subsequent payloads t. The first payload, an ELF file, acts as a dropper for the second stage payload and installs a secondary ELF file. This second stage payload remains persistent in the system by utilising approximately six different methods to ensure the file stays on the device and constantly running all those methods simultaneously. This second-stage payload is the actual bot that connects to the command and control (C2) server to get commands. The bot contains features such as anti-debugging techniques, data exfiltration, and multi-level encryption, amongst others. An infected device can also communicate with the C2 server to execute code or deliver a payload to act as a modular platform. Torii can be difficult to detect on a network because it does not scan for other targets.
Recommendation: If the device is IoT, it is recommended that it is placed behind a firewall or network address translation and placed within a Virtual Local Area Network (VLAN). Change the default password of IoT devices such as routers and printers to something that is difficult for threat actors to guess, but memorable for you. Anything that faces the internet can be vulnerable to threat actors, and as this story illustrates, malware can evolve extremely quickly so it is crucial to stay up-to-date with security patches and updates.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.