The IoT wave has been growing fast and has been dubbed as the technology of the future. To take advantage of the weak security cntrols present in the IoT devices, hackers publish specialized code. Mirai and QBot are leading giant botnets with millions of compromised devices at their will.
Recently, a new sophisticated botnet has been discovered which specializes in the compromise of IoT devices. This botnet has been named Torii since it appeared from Tor exit nodes. Torii botnet comes with advanced techniques and persistence methods not present in the earlier versions.
To begin with, Torii can run on almost every modern computer, smartphone, and tablet. Target architectures include x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, PPC and others.
It was first discovered by a security researcher Vess (VessOnSecurity), when Torii stains hit one of the researcher’s honeypots.
This new malware strain contains unprecedented levels of sophistication and has an impressive set of features. As highlighted by Avast, Torii does not (yet) do the usual stuff a botnet does like DDOS, attacking all the devices connected to the internet, or, of course, mining cryptocurrencies. It is rather focused on stealing sensitive information, and has at least six methods to maintain persistence.
- Automatic execution via injected code into ~\.bashrc
- Automatic execution via “@reboot” clause in crontab
- Automatic execution as a “System Daemon” service via systemd
- Automatic execution via /etc/init and PATH. Once again, it calls itself “System Daemon”
- Automatic execution via modification of the SELinux Policy Management
- Automatic execution via /etc/inittab
Torii also utilizes a variety of commands, “wget”, “ftpget”, “ftp”, “busybox wget,” or “busybox ftpget,” to ensure payload delivery.
The botnet, believed to have been in operation since 2017, though the footprints have started showing lately. It comes with a quite rich set of features for exfiltration of (sensitive) information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication.