Quote:Two former Tenda router zero-days are anchoring the spread of a Mirai-based botnet called Ttint. In addition to denial-of-service (DoS) attacks, this variant also has remote-access trojan (RAT) and spyware capabilities.
According to 360Netlab, the botnet is unusual in a few ways. For one, on the RAT front, researchers said that it implements 12 remote access functions, that combine with custom command-and-control (C2) server commands to carry out tasks like setting up a Socket5 proxy for router devices, tampering with router DNS, setting iptables and executing custom system commands.
In addition, Ttint also uses encrypted channels to communicate with the C2 – specifically, using the WebSocket over TLS (WSS) protocol. Researchers said that this allows the traffic to avoid detection while providing additional security. And finally, the infrastructure seems to migrate. 360Netlab first observed the attackers using a Google cloud service IP, before switching to a hosting provider in Hong Kong. [...]
Ttint as a malware can carry out 10 typical Mirai DDoS attack instructions (including multiple attack vectors), along with 12 RAT instructions and 22 custom C2 commands that work together.
“Generally speaking, at the host level, Ttint’s behavior is relatively simple,” according to the researchers. “When running, it deletes its own files, manipulates the watchdog and prevents the device from restarting, it runs as a single instance by binding the port; then modifies the process name to confuse the user…it finally establishes a connection with the decrypted C2, reporting device information, waiting for C2 to issue instructions, and executing corresponding attacks or custom functions.”
Read more: https://threatpost.com/tenda-router-zero...et/159834/
![[-]](https://www.geeks.fyi/images/collapse.png)
