• Torii botnet targets smart home IoT devices.
  • The botnet can communicate securely and stealthily, as well as execute different commands sent by the malware author.

A new IoT botnet named ‘Torii’ was found targeting smart home devices. Security researchers consider it to be the “most sophisticated botnet” they’ve ever seen. This is primarily due to Torii using six different methods for persistence. The botnet also uses a different script from other typical IoT malware in the wild.

The malware author(s) appears to have designed Torii to be stealthy and persistent. Torii’s operator(s) also created binaries for multiple architectures, to execute its advanced features. Communication with the command and control (C2) servers is encrypted and other advanced functions of the malware include exfiltration and command execution.

Security researcher Dr. Vesselin Bontchev at Avast first spotted the ‘Torii’ botnet strain in his Telnet honeypot, and published a detailed report on the botnet.

Malware infection vector

Torii begins by launching a telnet attack and infects weak credentials of targeted devices, following which the botnet executes an initial shell script. Then, the botnet attempts to discover the architecture of the targeted device and downloads an appropriate payload for the device.

After determining the architecture, the botnet downloads and executes the appropriate binary (dropper) from the C2 server. These droppers are always binary files, in ELF format, and prepare for the second stage of the attack. Once the ELF and executable files are installed, the dropper makes sure that it remains persistent.

However, this persistence is achieved using at least six methods. Security researchers said that the malware makes sure that it runs all the six methods listed below:-

  • Automatic execution via injected code into ~\.bashrc
  • Automatic execution via “@reboot” clause in crontab
  • Automatic execution as a “System Daemon” service via systemd
  • Automatic execution via /etc/init and PATH. Once again, it calls itself "System Daemon"
  • Automatic execution via modification of the SELinux Policy Management
  • Automatic execution via /etc/inittab

According to the Avast report, “The list of architectures that Torii supports is quite impressive: including devices based on x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, PPC - with various bit-width and endianness. This allows Torii to infect a wide range of devices running on these very common architectures.”

Torii the largest and most sophisticated botnet

In comparison with other IoT botnet such as VPNFilter and Hide and Seek, which focus on high persistence attacks, security researchers believe that Torii supports one of the largest sets of architectures they’ve seen so far.

The malware employs encrypted communication through the TLS specific port 443 and does not use the TLS protocol.

While other families of botnets focus on distributed denial-of-service (DDoS) attacks or mining for cryptocurrencies, Torii’s current motivations remain unknown. Considering its numerous capabilities, the botnet could be used to run any command on infected devices.

"Taking into account that this file is running on a malware distribution machine, it is quite possible that it is a backdoor or even a service to orchestrate multiple machines,” Avast researchers said.

Cyware Publisher