Security researchers at Netlab, the network security division Qihoo 360, have released a report providing technical analysis of a relatively new IoT botnet named Ttint. The botnet, which the researchers have been monitoring since 2019, has been observed using two Tenda router 0-day vulnerabilities (CVE-2018-14558, CVE-2020-10987) to spread a Remote Access Trojan (RAT) based on Mirai code.
The most notable thing about this botnet is that along with DDoS functionality it implements 12 remote access functions, such as Socket5 proxy for router devices, tampering with router DNS, setting iptables, executing custom system commands.
“In addition, at the C2 communication level, it uses the WSS (WebSocket over TLS) protocol. Doing this can circumvent the typical Mirai traffic detection at the traffic level, and it also provides secure encrypted communication for C2,” the researchers said.
In November last year the researchers observed the botnet operators exploiting the CVE-2018-14558 vulnerability in Tenda routers (which was disclosed only in July 2020) to deploy Ttint samples. Almost a year later, in August 2020, the threat actor was caught exploiting another zero-day in Tenda routers. That same month the Netlab team informed the manufacturer about their findings, but received no response.
According to the report, Tenda routers running a firmware version between AC9 to AC18 are vulnerable to the attack. The report also provides Indicators of Compromise (IoCs) related to the observed attacks.