Avast's examination of the botnet revealed that Torii has likely been developed by someone with a thorough understanding of how botnets operate, rather than taking the bolt-on approach we have seen through recent Mirai variants, made possible after the public release of the IoT botnet's source code in 2016.
The security firm says that Torii differs not only in terms of sophistication but also the variety of "advanced techniques" it uses.
"[Torii] comes with a quite rich set of features for exfiltration of (sensitive) information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication," Avast says.
The botnet, believed to have been in operation since 2017, also has targeting capabilities not often seen in botnet variants. The system is able to infect architectures including MIPS, ARM, x86, x64, PowerPC, and SuperH, among others.
The discovery of the botnet was based on Telnet attacks emerging from Tor exit nodes. The botnet is able to take advantage of the use of weak credentials in IoT devices to compromise systems before executing a shell script which attempts to detect the architecture of a target device, before downloading an appropriate malware payload.
Torii will utilize a variety of commands, "wget", "ftpget", "ftp", "busybox wget," or "busybox ftpget," to ensure payload delivery.
If binaries cannot be downloaded via HTTP, the botnet will use the FTP protocol. In the latter case, the botnet will use credentials embedded in the shell script to connect to an FTP server via an IP which is still active at the time of writing.
The binaries are droppers for the second payload, both of which are persistent.
Torii uses at least six methods to maintain persistence on a compromised device and runs all of them at the same time:
Automatic execution via injected code into ~\.bashrc
Automatic execution via "@reboot" clause in crontab
Automatic execution as a "System Daemon" service via systemd
Automatic execution via /etc/init and PATH. Once again, it calls itself "System Daemon"
Automatic execution via modification of the SELinux Policy Management
Automatic execution via /etc/inittab
The second-stage payload then executes. This is the main botnet which is able to connect to the operator's command-and-control (C2) server -- of which at least three addresses are in operation -- exfiltrate data, encrypt communication, and utilize anti-debugging techniques.
Torii communicates with its C2 via TCP port 443, however, Avast considers this "as a deception" as the TLS protocol is not in use. Rather, the botnet "takes advantage of [the] common use of this port for HTTPS traffic."
The botnet is sophisticated, but despite potentially being active since last year, does not behave like a standard botnet involved in Distributed Denial-of-Service (DDoS) attacks or cryptojacking, and its overall purpose is still a mystery.
At the time of discovery, VirusTotal did not flag up two of the botnet's executables as malicious. However, at the time of writing, 19 antivirus engines now detect one of the files, whereas another is only detected by five engines.
15 amazing tech gadgets you need for your home office