Recently team of IT researchers have discovered Torii, a worst botnet that comes with highly developed features. It is much more disastrous one than Qbot and Mirai. First of all, it was discovered by Vesselin Bontchev, a most popular Bulgarian researcher who announced about his findings on the Twitter on September 19, 2018 which is designed to work on the numerous hardware systems.
Torii : More Stealthier Than It’s Predecessor
After the depth analysis, researchers revealed that Torii tries to be stealthier than its predecessors. It seems to be designed for exfiltrating the sensitive data using modular architecture and several layers of locked communication. The infection vector of Torii is telnet attack against the Computers with default or weak passwords.
Once Torii logged in, the sophisticated shell script is executed on PC that tries to determine victim’s architecture type so that the payload of Torii can be downloaded. First of all, the payload download is attempted via the applications over HTTP. If it is successful then good otherwise it resort to the FTP by using hard-coded login credentials within script. The secondary payload sof Torii is receiving & executing of commands from its command & control. Each Torii variant includes addresses of 3 command and control servers that features with data exfiltration, anti-debugging techniques and the multi-level encryption for the communication.
Persistence Methods of Torii
- Injects code into ~/.bashrc
- ‘@reboot’ clause in the crontab entry
- As a System Daemon service via systemd
- Execution via /etc/init and PATH
- Modification of the SELinux Policy Management
- Entry in /etc/inittab
Depth Analysis On Main Features of Torii
Once infiltrating inside the targeted machine, it immediately start its malicious activity by hacking the devices such as weaking the credentials. The negative traits and harmful behavior of Torii is similar to other botnet but the most notable thing about this malware is that it executes an initial shell script to perform the malicious activities. It uses malicious scripts which are really highly developed and difficult to understand.
The malicious script of such a malware analysis the complete structure and several settings on infected machine and automatically downloads several harmful payload which is perfectly suitable for any type of devices. Experts revealed that it supports the architectures including X86_64, x86, MIPS, ARM, SuperH, Motorola 68k, PPC and many more which allows the Torii to infect several kinds of devices including architectures. It causes lots of serious troubles. Thereforem users must delete Torii botnet ASAP.
List of CnC Server Belongs To Torii
Torii often communicated using CnC server and the addresses of those server are hacked and locked by the XOR-based script. According to the researcher, Torii belongs to 3 CnC servers including :
Tips To Avoid PC Against Torii Botnet Attack
- Use strong and unique passwords for all devices
- Never level your Internet connection unprotected
- Don’t open any unknown mails or messages
- Avoid yourself from visiting any untrusted or hacked domain
- Upgrade your OS and installed application always
- Keep a backup of your System files as well as data on regular basis and many more.