Torii botnet outmatches Mirai with its new features

A newly detected botnet is more sophisticated than other IoT botnets

Torii seems to be more developed than others of its kind due to the advanced features that it has.

IT researchers have discovered a new botnet named Torii which is above all other of its kind due to its highly-developed features. Torii stands out by its operating principle which is much more advanced than the one used by Mirai^[1] and QBot.

This botnet was first discovered by a researcher named Vess who announced about his foundings on Twitter^[2]:

My honeypot just caught something substantially new. Spreads via Telnet but not your run-of-the-mill Mirai variant or Monero miner, he said. First stage is just a few commands that download a rather sophisticated shell script, disguised as a CSS file. (URL is still live.)

Torii belongs to an experienced developer

Avast has already examined Torii and, according to their results, there is no doubt that the botnet was created and developed by a truly-experienced specialist who has a lot of knowledge on what he or she is doing. You cannot tell the same about the Mirai versions which were released during the recent months.

Torii botnet has a wide range of advanced features making it kind of special botnet. One of its features helps the botnet gather sensitive information from various user's devices. Because of layers of encrypted communication, it can also launch different commands or open executable files giving it the ability to make attempts against various architectures. Here are Avast's insights:

Furthermore, Torii can infect a wide range of devices and it provides support for a wide range of target architectures, including MIPS, ARM, x86, x64, PowerPC, SuperH, and others. Definitely, one of the largest sets we’ve seen so far.

Nevertheless, security researches have also performed an in-depth analysis which showed that Torii botnet has been alive since December last year or even for a longer period. The impact which has been done throughout the past year is still unknown.

Analysis of main Torii's features

First, the infection caused by this botnet starts its activity by hacking devices including weak credential details. Moreover, Torii botnet executes an initial shell script to perform its activities which has some accurate differences from the scripts that are used by IoT malware^[3]. Torii uses scripts which are highly-developed and even more difficult to understand.

The script analyzes the entire structure and various settings on the infected target and downloads the harmful payload which is suitable for that type of device. Torii supports architectures such as x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, PPC,^[4] which allow the Botnet to infect numerous different kinds of devices because such architectures are one of the most commonly used ones. Moreover, once the botnet decides which payload is suitable for a certain device, such harmful content comes in the format of an ELF file.

CnC communication explained

For further information, this malware communicates by using a CnC server. The addresses of such servers are hacked and encrypted by using an XOR-based cipher^[5]. IT researchers have found out the three CnC servers belonging to Torii botnet:

• top.haletteompson.com;
• cloud.tillywirtz.com;
• trade.andrewabendroth.com.

We ask all users to be aware of such malware that has been discovered recently. This tricky botnet can easily hack devices which include weak credentials. So, always create strong passwords to increase your device's protection level. Once installed, Torii botnet can bring big damage which might be very difficult to repair.