INSUBCONTINENT EXCLUSIVE:
IoT malware strain/botnet, that the firm has codenamed Torii, has spread over poorly secured telnet services with the attack stemming from
Tor exit nodes.Payload deliveryAccording to Avast, the infection chain begins with a telnet attack on the weak credentials of targeted
devices followed by the execution of an initial shell script
The script tries to discover the architecture of the targeted device and once this is complete it attempts to download the appropriate
payload for the devices (binary files in the EFL format).The core functionality of these payloads is to install an inner EFL with the first
This is the second stage executable which is highly persistent and uses at least six methods to ensure the EFL file remains on the device
After this, the inner EFL is executed to deliver the second stage payload, a fully-fledged bot capable of executing commands from its master
CnC server.Threat detailsTorii has yet to be used in either DDoS attacks or for cryptojacking
Instead, the malware steals data from IoT devices and allows attackers to execute code remotely which could allow them to run any command on
However, the malware is capable of fetching and executing other commands using multiple layers of encryption.Torii is one of the most
sophisticated malware strains ever observed by Avast
In addition to sharing information regarding infected devices, the malware's communication with the CnC server allows its authors to
execute any code or deliver any payload to an infected device
This suggests that Torii could become a modular platform for future use.
