Torii virus – a sophisticated multi-stage malware that is capable of infecting a wide array of devices

Torii virus is a new malware strain that has been discovered by security experts in September 2018.[1] According to the report, this advanced cyber threat was functional since December 2017 and possibly even longer. The virus is capable of infecting a large variety of devices and functions as an IoT[2] botnet – it is able of propagating itself. Unlike botnets like Mirai or QBot, Torii botnet does not initiate active DDoS[3] attacks or crypto-mining but instead focuses on harvesting sensitive information. Once installed on the device, malware focuses on obfuscation by using multi-stage infection technique, downloading and executing other commands and continually communicating with the C2 server using encryption.
| Summary | |
| Name | Torii virus |
| Type | Botnet/malware |
| Distribution | Brute-force attacks |
| Spotted | September 2018 |
| Active since | December 2017 |
| Detection and elimination | Use sophisticated anti-malware software |
| System repair | Use FortectIntego |
Users might struggle to remove Torii virus since the malware is sophisticated. Moreover, detecting the cyber threat might be almost impossible unless the device is scanned with professional anti-malware software. We also suggest using FortectIntego to revert modifications performed by the virus.
Unlike banking trojan Emotet, Torii does not use malicious spam email attachments for its distribution. The infection starts when the virus breaks through weak Telnet credentials of the targeted device and uploads its primary script. At this point, the malware tries to identify the architectures used by the machine, which supports:
- x86
- x64
- ARM
- Motorola
- PPC
- SuperH
- MIPS
Then, Torii botnet virus focuses on downloading and installing appropriate binary payloads – all of the downloaded files are in ELF format. In case the HTTP connection is not successful, the virus uses an FTP protocol that requires authentication, which is embedded inside the script. As soon as the first stage is complete, the dropper will execute the downloaded ELF file to ensure persistence. The executable on itself runs six different processes to ensure that the malware is running all the time.
Once the inner ELF file is executed, the second stage payload actively communicates with the Command and Control server using the encrypted XOR cipher. Torii virus then sends the following information to a remote server:
- Hostname
- Process ID
- Path to second stage executable
- MAC address
- Device information, such as system name, version, release, etc.
- Executes several other commands to get more information about the device
It is not clear how many devices in total are affected by Torii virus, but researchers claim that one of the malware used IPs was connected to 1,056,393 times. However, experts believe that the server used is only one of many used servers infecting more devices worldwide.
Torii botnet virus is a sophisticated malware which researchers never encountered before. It sends out a large amount of information to the C2 server and is also capable of communicating with it continually, which allows bad actors to execute virtually any script on the affected device. Additionally, the obfuscation level of this malware is advanced. Thus, to remove Torii virus, users need to detect if first, which might be not an easy task.
It is yet unclear what goal this IoT malware has, as it is not used for DDoS or crypto-mining. Researchers think that it might be created to serve as a backdoor for other malware. Nevertheless, with its impressive persistence and obfuscation techniques, a simple factory reset on a device will not perform Torii virus removal.

Use strong passwords for all your devices
Botnets are dangerous because they can be used for various malicious activities, such as DDoS attacks or cryptocurrency mining on the device. Therefore, avoiding such infections is a far better solution, as security experts[4] suggest. As we know, the malware spreads using brute-force attacks via poorly protected devices. Therefore, we recommend you use a strong password and never leave your connection unprotected, as virus infection can be imminent.
There are several ways to protect your connection. For example, using a combination of upper and lower case letters and numbers would provide better protection. While it is hard to remember, such passwords should be handled by password managing programs.
Additionally, users are not recommended using the same password for multiple accounts because, as soon as one account gets compromised, hackers might use that information for further attacks.
Eliminate Torii from your device
Currently, thousands or even millions of devices are at risk of malware infection. Therefore, those who already are infected should take care of Torii virus removal as soon as possible. On itself, it might be a complicated task, as malware does not show any signs or symptoms. Besides, it uses several persistence techniques to remain running on the affected device.
The only way to remove Torii botnet virus is by using sophisticated anti-malware solutions. Because the botnet is recently established, and it is still under the investigation. Therefore, not all AV engines might detect the malicious payload. For that reason, it is advisable to scan your devices using multiple security applications.
Was this guide helpful?
Be the first to comment