Ttint IoT Botnet Threat Intel Advisory

Summary

CloudSEK Threat Intelligence Advisory on Ttint IoT botnet, a Mirai variant, targeting Tenda AC15 AC1900 routers, exploiting CVE-2020-10987.
Attack Vector
Network
Malware Type
Remote Access Trojan
Category 
IoT Botnet
Target
Tenda Router AC15 AC1900
Affected Industry
All (hardware specific exploit)

 

Mirai and Mutants

Mirai malware scans the Internet for IoT devices that run on the Argonaut RISC Core (ARC) processor, which runs a stripped down version of the Linux OS. This malware has all the capabilities of a virus/worm/Trojan. A few well known variants of Mirai that are in the wild are Okiru, Satori, Masuta and PureMasuta. Mirai started its operations in the latter part of 2016, and published its source code which led to the inception of various mutants or variants in the wild. Mirai targeted mostly service providers. 

Ttint

Ttint is an IoT botnet based on Mirai source code, with added functionalities of command execution and intranet roaming via compromised routers, unlike Mirai that normally orchestrates DDoS attacks. This variant of Mirai uses the following custom control functions as well:
  • SOCKS5 proxy for routers
  • Router DNS tampering at router level
  • Custom IP tables for traffic redirection
  • Custom system command execution
  • WebSocket over TLS protocol for C2 communication
  • Reverse Shell 
  • Self Upgrade 

Exploiting 0-day 

Ttint exploits two vulnerabilities, of which one was patched recently (CVE-2020-10987) and the other one remains undisclosed and unpatched. The vulnerability that was patched recently (CVE-2020-10987) targets Tenda routers AC15 AC1900, which allows attackers to execute arbitrary system commands via the “deviceName” POST parameter.[/vc_wp_text][vc_wp_text]

Impact

  • Ttint targets Tenda routers to build the botnet. As a result, any consumer who uses the vendor’s hardware will be a target of the attack.
  • Once the router is compromised, the attacker can access the internal network behind the router, enabling attacks on other machines.
  • A Remote Access Trojan has espionage capabilities and can create the digital footprint of its victims.
  • DDoS attacks by the botnet can take down critical services leading to downtime, affecting availability of business to clients and eventually causing financial loss.
  • Loaded with the ability to manipulate network traffic, confidentiality, and integrity are compromised.
  • Spam mailing.
  • Ttint steals credit card information.
  • This IoT botnet performs click fraud.
  • It is also capable of solving weak CAPTCHA challenges on websites.
Other Tenda AC15 AC1900 vulnerabilities are: CVE-2020–10986 CVE-2020–10988 CVE-2020–10989 CVE-2020–15916[/vc_wp_text][vc_wp_text]

IoCs

IP
34.92.85.21         34.92.139.186       43.249.29.56        45.249.92.60        45.249.92.72        103.60.220.48       103.108.142.92      103.243.183.248
MD5-Hashes
3e6a16bcf7a9e9e0be25ae28551150f5 4ee942a0153ed74eb9a98f7ad321ec97 6bff8b6fd606e795385b84437d1e1e0a 733f71eb6cfca905e8904d0fb785fb43 a89cefdf71f2fced35fba8612ad07174 c5cb2b438ba6d809f1f71c776376d293 cfc0f745941ce1ec024cb86b1fd244f3 73ffd45ab46415b41831faee138f306e
C2
cnc.notepod2.com:23231 back.notepod2.com:80 q9uvveypiB.notepod2.com:443 Uhyg8v.notepod2.com:5001
URL
http://45.112.205.60/td[.]sh http://45.112.205.60/ttint[.]i686 http://45.112.205.60/ttint[.]arm5el http://45.112.205.60/ttint[.]mipsel http://34.92.139.186:5001/bot/get[.]sh http://34.92.139.186:5001/bot/ttint[.]mipsel http://34.92.139.186:5001/bot/ttint[.]x86_64[/vc_wp_text][vc_wp_text]

Preventive Measures

  • Proper patch and updates management.
  • Deploying efficient and robust EDR/ XDR solutions on endpoint systems.

Table of Contents

Request an easy and customized demo for free