“Most sophisticated” Torii botnet targeting IoT devices

Avast's threat labs team has discovered “the most sophisticated botnet that they have ever seen” and it is targeting IoT devices.

The new IoT malware strain/botnet, that the firm has codenamed Torii, has spread over poorly secured telnet services with the attack stemming from Tor exit nodes.

Payload delivery

According to Avast, the infection chain begins with a telnet attack on the weak credentials of targeted devices followed by the execution of an initial shell script. The script tries to discover the architecture of the targeted device and once this is complete it attempts to download the appropriate payload for the devices (binary files in the EFL format).

The core functionality of these payloads is to install an inner EFL with the first EFL file. This is the second stage executable which is highly persistent and uses at least six methods to ensure the EFL file remains on the device and is always running. After this, the inner EFL is executed to deliver the second stage payload, a fully-fledged bot capable of executing commands from its master CnC server.

Threat details

Torii has yet to be used in either DDoS attacks or for cryptojacking. Instead, the malware steals data from IoT devices and allows attackers to execute code remotely which could allow them to run any command on the infected machines. However, the malware is capable of fetching and executing other commands using multiple layers of encryption.

Torii is one of the most sophisticated malware strains ever observed by Avast. In addition to sharing information regarding infected devices, the malware's communication with the CnC server allows its authors to execute any code or deliver any payload to an infected device. This suggests that Torii could become a modular platform for future use.

Leave a Reply