Attack Vector |
Network |
Malware Type |
Remote Access Trojan |
Category |
IoT Botnet |
Target |
Tenda Router AC15 AC1900 |
Affected Industry |
All (hardware specific exploit) |
Mirai malware scans the Internet for IoT devices that run on the Argonaut RISC Core (ARC) processor, which runs a stripped down version of the Linux OS. This malware has all the capabilities of a virus/worm/Trojan. A few well known variants of Mirai that are in the wild are Okiru, Satori, Masuta and PureMasuta. Mirai started its operations in the latter part of 2016, and published its source code which led to the inception of various mutants or variants in the wild. Mirai targeted mostly service providers.
Ttint is an IoT botnet based on Mirai source code, with added functionalities of command execution and intranet roaming via compromised routers, unlike Mirai that normally orchestrates DDoS attacks. This variant of Mirai uses the following custom control functions as well:
Ttint exploits two vulnerabilities, of which one was patched recently (CVE-2020-10987) and the other one remains undisclosed and unpatched. The vulnerability that was patched recently (CVE-2020-10987) targets Tenda routers AC15 AC1900, which allows attackers to execute arbitrary system commands via the “deviceName” POST parameter.[/vc_wp_text][vc_wp_text]
Other Tenda AC15 AC1900 vulnerabilities are:
CVE-2020–10986
CVE-2020–10988
CVE-2020–10989
CVE-2020–15916[/vc_wp_text][vc_wp_text]
34.92.85.21
34.92.139.186
43.249.29.56
45.249.92.60
45.249.92.72
103.60.220.48
103.108.142.92
103.243.183.248
3e6a16bcf7a9e9e0be25ae28551150f5
4ee942a0153ed74eb9a98f7ad321ec97
6bff8b6fd606e795385b84437d1e1e0a
733f71eb6cfca905e8904d0fb785fb43
a89cefdf71f2fced35fba8612ad07174
c5cb2b438ba6d809f1f71c776376d293
cfc0f745941ce1ec024cb86b1fd244f3
73ffd45ab46415b41831faee138f306e
cnc.notepod2.com:23231
back.notepod2.com:80
q9uvveypiB.notepod2.com:443
Uhyg8v.notepod2.com:5001
http://45.112.205.60/td[.]sh
http://45.112.205.60/ttint[.]i686
http://45.112.205.60/ttint[.]arm5el
http://45.112.205.60/ttint[.]mipsel
http://34.92.139.186:5001/bot/get[.]sh
http://34.92.139.186:5001/bot/ttint[.]mipsel
http://34.92.139.186:5001/bot/ttint[.]x86_64[/vc_wp_text][vc_wp_text]