2 former Tenda router zero-days are helping the spread of a Mirai-based botnet called Ttint. In addition to denial-of-service (DoS) attacks, this variant also has remote-access trojan (RAT) & spyware capabilities.
A variant of the Mirai botnet, called Ttint, has added espionage capabilities to complement its denial-of-service functions.
ays 360Netlab, the botnet is unusual in several ways. On the RAT side, researchers said that it implements 12 remote access functions, that combine with custom command-&-control (C2) server commands to carry out tasks like setting up a Socket5 proxy for router devices, tampering with router DNS, setting iptables & executing custom system commands.
Ttint also uses encrypted channels to communicate with the C2 – using the WebSocket over TLS (WSS) protocol. Researchers explained that this allows the traffic to avoid detection while providing additional security.
Finally, the infrastructure seems to migrate. 360Netlab 1st observed the attackers using a Google cloud service IP, before switching to a hosting provider in Hong Kong.
Tenda Routers are found at big-box stores & are used in homes and small offices. The 1st vulnerability used to spread Ttint samples (CVE-2018-14558) has been exploited since at least Nov. 2019; but it wasn’t disclosed until July 2020. There is now a firmware update available to address it.
The bug is a critical command-injection vulnerability, rated 9.8 out of 10 on the CvSS vulnerability-severity scale. It allows attackers to execute arbitrary OS commands via a crafted goform/setUsbUnload request. It arises because the “formsetUsbUnload” function executes a dosystemCmd function with untrusted input.
Arbitrary System Commands
In late Aug., a 2nd critical Tenda router vulnerability (CVE-2020-10987) emerged in the campaign. It’s also rated 9.8 out of 10 & was initially disclosed in July by Independent Security Evaluators, after it had tried since Jan. to get a patch from Tenda. It was able to exploit the bug in order to cause a DoS condition.
The bug exists because the goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter, according to the CVE description.
360Netlab also tried to warn Tenda about issues with the bug, this time for use in botnet infections.
“On Aug. 28, 2020, we reported the details of the second 0-day vulnerability & the PoC [proof of concept] to the router manufacturer Tenda via email, but the manufacturer has not yet responded,” researchers commented.
Ttint as a malware can carry out 10 typical Mirai DDoS attack instructions (including multiple attack vectors), along with 12 RAT instructions & 22 custom C2 commands that work together.
“Generally speaking, at the host level, Ttint’s behaviour is relatively simple,” explains the researchers.
“When running, it deletes its own files, manipulates the watchdog & prevents the device from restarting, it runs as a single instance by binding the port; then modifies the process name to confuse the user.
It finally establishes a connection with the decrypted C2, reporting device information, waiting for C2 to issue instructions, & executing corresponding attacks or custom functions.”
Researchers outlined, among the most notable of the RAT functions is the command to bind a specific port issued by C2 to enable Socket5 proxy service. This allows attackers to remotely access the router’s intranet, & roam across the network.
Multiple Custom Functions
“Generally speaking, Ttint will combine multiple custom functions to achieve specific attack goals,” the researchers commented. “Take the 2 adjacent commands we captured, the 1st command is iptables -I INPUT -p tcp –dport 51599 -j ACCEPT, to allow access to port 51599 of the affected device.
The next command is to enable the Socket5 proxy function on port 51599 of the affected device. The combination of the 2 commands enabled & allowed the attacker to use the Socket5 proxy.”
Another command tells the malware to tamper with the router DNS by modifying the resolv.conf file, allowing it to hijack the network access of any of the router’s users. This then allows attackers to monitor or steal sensitive information.
Meanwhile, by setting iptables up, the operators can achieve traffic forwarding & target address conversion, which could expose internal network services & lead to information disclosure. By implementing a reverse shell through socket, the author of Ttint can operate the shell of the affected routing device as a local shell.
Finally, the custom commands also allow the malware to self-update & self-destruct.
The C2 information of the Ttint Bot sample is encrypted & stored in the configuration information table in the Mirai format, protected with a XOR key, researchers explained.
“When the bot is running, it decrypts to obtain the C2 address, & then communicates with C2 securely through the WebSocket over TLS protocol,” suggested the researchers.
“When Ttint C2 replies to the bot with a response code of 101, it means that the protocol handshake is completed, & then the bot can communicate using the WebSocket protocol.”
There has been a resurgence of Mirai-based malware capable of building large botnets through the exploitation of poorly secured IoT devices.
This has contributed to a significant increase in the number of distributed denial-of-service (DDoS) attacks in the 1st half of 2020, compared to the same period in 2019. The addition of the RAT & concerning C2 commands marks a change for the Mirai world.
“2 zero-days, 12 remote-access functions for the router, encrypted traffic protocol & infrastructure IP that that moves around,” the firm wrote in a recent blog. “This botnet does not seem to be a very typical player.”