The Torii botnet has been discovered in an ongoing target campaign uncovering some of its distinctive features. An analysis has been made revealing that it behaves in a very different way to other popular botnets.
Torii Botnet Relies on Distinctive Behaviour to Infect Target Hosts
The Torii botnet is a new malware threat which has been identified in an ongoing attack. The behaviour patterns associated with it seem to be vastly different that Mirai or QBot which are among the most popular weapons used by the hackers. This prompted security researchers to look further into it.
One of the major differences are found within the way it infects. The security team notes that one of its characteristics is the stealth and persistent intrusion. The intrusion attempts are done via probe Telnet sessions by making use of weak credentials — the hackers may either brute force them or use lists of default default username and password combinations. When entry to the systems has been made a script will be called to start the next operations.
In comparison to other botnets one of the first actions is the detection of architecture — this is undergone in order to categorize the infected host into one of the set categories. The interesting fact is that the botnet seems to support a wide variety of popular platforms: x86_64, x86, ARM, MIPS, Motorola 68k, SuperH and PPC.
It is very possible that separate versions have been made for them. When the selection has been made common commands will be triggered to download the first stage payload dropper. This first-stage component features simple obfuscation which is designed discovery by some security software. Its main goal is to install another executable file which will be deployed into a pseudo-random location — the destination address will be calculated according to a built-in list.
The deployed second stage will be installed as a persistent threat. In this section of the code the analysts have discovered at least six methods for persistent installation, it has been found that all of them are run:
- Automatic execution via injected code into ~\.bashrc
- Automatic execution via “@reboot” clause in crontab
- Automatic execution as a “System Daemon” service via systemd
- Automatic execution via /etc/init and PATH. Once again, it calls itself “System Daemon”
- Automatic execution via modification of the SELinux Policy Management
- Automatic execution via /etc/inittab
Torii Botnet Capabilities and Damage Potential
Following the initial intrusion the Torii botnet main engine will be deployed to the infected hosts. Like some other malware it will initially delay its operations in order to fool common virus signatures. Simple sandbox environments can be bypassed by a set of built-in override codes. To avoid blacklisted process names the engine will use a randomized name. Symbols will be stripped to make the analysis harder.
When all of these checks are made the engine will establish a secure connection to a hacker-controlled server. The addresses themselves are encrypted and each malware instance seems to contain 3 hard-coded ones.
At this point the engine will also collect the following data from the devices and report it to the hackers via this connection:
- Process ID
- Path to second stage executable
- Details found by uname() call
- All MAC addresses found in /sys/class/net/%interface_name%/address + its MD5 hash
- Output of several system information commands
The actual server communications are organized in an endless loop — the client will always the servers in an automated manner if there are any commands that are to be executed. If such are sent the client will return the results output and await for the next instructions. Some of the example commands include the following:
file upload, server timeout period change, remote command execution, file download, permissions change, execution of files, file location check, file contents extraction, file deletion, download of files frm remote URLs, new C&C server address installation and etc.
The analysis of the threat also shows that it contains a utility module called sm_packed_agent.It appears that it can be used to assist the remote code execution its strings analysis reveals that it might also contain server-like capabilities. So far there are no confirmed cases of this module being used in live attacks.
In conclusion the attackers note that the Torii botnet is a very sophisticated weapon that can be deployed against all kinds of targets, especially high-profile ones. Its capabilities allow it to infect whole networks at once as well as propagate across the internal company environment.