IoT botnet exploiting two zero-day flaws in Tenda routers

Attackers have spread a Remote Access Trojan (RAT) based on the Mirai malware to create a botnet by exploiting two zero-day vulnerabilities in routers manufactured by Tenda.

The botnet, dubbed Ttint, targets routers specifically and is based on code from the Mirai botnet-spreading malware. This malware was found to receive ten Mirai distributed denial of service (DDoS) attack instructions, as well as 12 remote control instructions, according to researchers with Netlab.

The team first detected hackers using the first of two zero-day vulnerabilities to spread samples of the malware. The flaw, tagged as CVE-2018-14558, was disclosed publicly for the first time in July by researchers with Independent Security Evaluators.

Netlab saw the second Tenda router zero-day vulnerability, tagged as CVE-2020-10987, being exploited to spread Ttint samples in August this year. The team subsequently reported the details of this flaw, as well as the proof-of-concept, although the manufacturer has not yet responded.

Ttint samples were compared during these two periods of emergence and the researchers found the command and control (C2) instructions were exactly the same, albeit with some differences in the vulnerability, cipher key and C2 protocol.

“The conventional Mirai variants normally focus on DDoS, but this variant is different,” according to Netlab’s report. ”In addition to DDoS attacks, it implements 12 remote access functions such as Socket5 proxy for router devices, tampering with router DNS, setting iptables, executing custom system commands.

“In addition, at the C2 communication level, it uses the WSS (WebSocket over TLS) protocol. Doing this can circumvent the typical Mirai traffic detection at the traffic level, and it also provides secure encrypted communication for C2.”

While Ttint is a botnet, the 12 different remote access methods stand it apart from most other botnets, with hackers using the routers as proxies to relay traffic, tamper with firewall and DNS settings, and execute commands remotely.

When running, Ttint deletes its own files, manipulates the watchdog and prevents the device from restarting. The malware also runs on a single instance by binding to the port, and modifies the process name to confused the user. Finally, it establishes a connection with the decrypted C2 server and reports device information. From this point, it waits for the C2 server to issue instructions and it executes corresponding attacks.

In terms of the infrastructure, the attacker first used a Google cloud service IP and then switched to a hosting provider in Hong Kong. When researchers looked up the website certificate, sample, domain name and IP in its DNSmon system, it was able to see more infrastructure IPs, samples and further C2 domain names.

Neither zero-day flaw has been patched, according to Netlab. IT Pro has approached Tenda for a comment and is awaiting a response.