Meet Torii, a new IoT botnet far more sophisticated than Mirai variants

The evolving IoT botnet is able to compromise an impressive array of architectures.

Andromeda botnet malware is still an infection issue One of the largest botnets was taken out by the authorities last year - but large numbers of PCs remain infected.

A new botnet which specializes in the compromise of Internet of Things (IoT) devices has been discovered which contains unprecedented levels of sophistication.

The botnet, dubbed Torii, is a cut above both the Mirai and QBot variants, according to researchers from Avast, as it possesses sophistication "a level above anything we have seen before."

First discovered by a security researcher that goes under the Twitter handle VessOnSecurity, a strain of Torii was detected after hitting one of the researcher's honeypots.


"The script is quite sophisticated, unlike the usual Mirai crap," Vess tweeted. "The author is not your average script kiddie Mirai modder."

Avast's examination of the botnet revealed that Torii has likely been developed by someone with a thorough understanding of how botnets operate, rather than taking the bolt-on approach we have seen through recent Mirai variants, made possible after the public release of the IoT botnet's source code in 2016.

The security firm says that Torii differs not only in terms of sophistication but also the variety of "advanced techniques" it uses.

"[Torii] comes with a quite rich set of features for exfiltration of (sensitive) information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication," Avast says.

See also: IoT hacker builds Huawei-based botnet, enslaves 18,000 devices in one day

The botnet, believed to have been in operation since 2017, also has targeting capabilities not often seen in botnet variants. The system is able to infect architectures including MIPS, ARM, x86, x64, PowerPC, and SuperH, among others.

CNET: We can't stop botnet attacks alone, says US government report

The discovery of the botnet was based on Telnet attacks emerging from Tor exit nodes. The botnet is able to take advantage of the use of weak credentials in IoT devices to compromise systems before executing a shell script which attempts to detect the architecture of a target device, before downloading an appropriate malware payload.

Torii will utilize a variety of commands, "wget", "ftpget", "ftp", "busybox wget," or "busybox ftpget," to ensure payload delivery.

If binaries cannot be downloaded via HTTP, the botnet will use the FTP protocol. In the latter case, the botnet will use credentials embedded in the shell script to connect to an FTP server via an IP which is still active at the time of writing.

The binaries are droppers for the second payload, both of which are persistent.

Torii uses at least six methods to maintain persistence on a compromised device and runs all of them at the same time:

  • Automatic execution via injected code into ~\.bashrc
  • Automatic execution via "@reboot" clause in crontab
  • Automatic execution as a "System Daemon" service via systemd
  • Automatic execution via /etc/init and PATH. Once again, it calls itself "System Daemon"
  • Automatic execution via modification of the SELinux Policy Management
  • Automatic execution via /etc/inittab

The second-stage payload then executes. This is the main botnet which is able to connect to the operator's command-and-control (C2) server -- of which at least three addresses are in operation -- exfiltrate data, encrypt communication, and utilize anti-debugging techniques.

TechRepublic: The 6 reasons why we've failed to stop botnets

Torii communicates with its C2 via TCP port 443, however, Avast considers this "as a deception" as the TLS protocol is not in use. Rather, the botnet "takes advantage of [the] common use of this port for HTTPS traffic."

The botnet is sophisticated, but despite potentially being active since last year, does not behave like a standard botnet involved in Distributed Denial-of-Service (DDoS) attacks or cryptojacking, and its overall purpose is still a mystery.

At the time of discovery, VirusTotal did not flag up two of the botnet's executables as malicious. However, at the time of writing, 19 antivirus engines now detect one of the files, whereas another is only detected by five engines.

Previous and related coverage