An unknown hacking group is leveraging a previously-unknown malware called Ttint which is categorized as an IoT-specific Trojan. What we know is that the hacker developers are using two zero-day vulnerabilities to intrude onto the target devices. The security analysis has lead to an investigation, thus revealing the weaknesses in two posted advisories: CVE-2018-14558 and CVE-2020-10987. From the captured samples, it appears that the malware is based on Mirai code.
CVE-2018-14558 & CVE-2020-10987 Used As Mechanisms to Deliver Ttint IoT Trojan
A new and dangerous IoT Trojan attacks devices worldwide. According to the released code analysis, it is based on the Mirai code and developed by an unknown hacking group. Like other viruses of this category when a single infection has happened it will automatically attempt to intrude onto other similar hosts, thereby creating a large botnet network in the process. For this reason, such attack campaigns are deemed as very effective if proper configuration and targets are made.
Infiltrations with this particular malware are made by using the typical approach of direct network attacks — the hackers will use automated frameworks that are loaded with the necessary vulnerabilities. If the target networks are unpatched then the infections will happen automatically. One of the reasons why these intrusions were seen as critical in their damage potential is because the weaknesses were labeled as “zero-day”, they were unknown prior to the infections.
The first attacks were detected in November 2019, when the Ttint IoT Trojan was launched against Tenda router owners. This first instance used the two vulnerabilities and public disclosure was made in July 2020. The second attack wave was carried out in August 2020, again against Tenda devices. The Ttint Trojan is focused on using these two advisories:
- CVE-2018-14558 — An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firmware through V15.03.05.19(6318)_CN(AC9), and AC10 devices with firmware through V15.03.06.23_CN(AC10). A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted goform/setUsbUnload request. This occurs because the “formsetUsbUnload” function executes a dosystemCmd function with untrusted input.
- CVE-2020-10987 — The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
According to the available information most of the attacks are against victims in South America.
Ttint IoT Trojan Capabilities
The Tting Iot Trojan is based on Mirai and as such includes a similar infection sequence. While it includes the same distributed denial-of-service approach, the hackers have also implemented an additional 12 control instructions.
When the infection is run on the affected computers one of the first actions will be to hide the virus tracks from being detected. This is done by monitoring the operating system with the goal of looking for any installed security systems. If any are found the Trojan will attempt to disable them, this works for programs and services such as anti-virus programs, firewalls, virtual machine hosts and etc. This malware engine may delete itself if it fails to bypass these programs.
When the Trojan is found on a given system it will prevent the system from restarting, this is an example of a persistent installation. This is intentional and differs from other similar threats that merely start the virus when the device is powered on.
The actual names under which the processes associated with the malware operates will be renamed, this is an attempt to hide their presence. All configuration files and data associated with its operation are encrypted, making them only available to the hackers. Some of the distinct features of the Ttint IoT Trojan are the following:
- Advanced Trojan Operation – The locally-installed agent program will connect to a hacker-controlled server and allow the remote attackers to fully take over control of the devices. However, instead of using a standard connection, this particular virus will use a websocket protocol which makes it very difficult to trace the packets.
- Proxy Server Usage – The communication between the local computer and the remote hacker-controlled server will be relayed through a proxy server operated by the criminals.
- Network Access Hijack – The malware will reconfigure important configuration files of the target devices. As they are mostly routers by doing so the criminals will have full access to the network access of the users.
- Network Exposure – By rewriting the firewall rules the threat will be able to expose the otherwise private services that are deployed on the machines behind the internal network.
- Upgrade – At given intervals the main malware will check if there is a new version of it released. It can automatically update to any newer iterations.
Like other viruses of this category, it is able to hijack sensitive information from the host device, including the available hardware components. The collected data will be reported to the criminals during network transmission.
A full list of the built-in implemented commands is the following:
attack_udp_generic, attack_udp_vse, attack_udp_dns, attack_udp_plain, atack_tcp_flag, attack_tcp_pack, attack_tcp_xmas, attack_grep_ip, attack_grep_eth, attack_app_http, run “nc” command, run “ls” command, execute system commands, tampering with router DNS, Report device information, Config iptables, run “ifconfig” command, self-exit, Open Socks5 proxy, Clos Socks5 proxy, Self-upgrade, reverse shell
At this moment the best remediation is to upgrade to the newest available firmware from the device manufacturer. At the moment Tenda is the only known manufacturer of targeted devices. Given the magnitude of the attacks and the extensive features list, we expect that future attacks will target a wider range of IoT devices.