Connect with us

Hi, what are you looking for?


IoT Security

Meet Torii, a Stealthy, Versatile and Highly Persistent IoT Botnet

There’s a new Internet of Things (IoT) botnet lurking around, a stealthy one that attempts to achieve persistence by running six different routines at once, Avast has discovered.

There’s a new Internet of Things (IoT) botnet lurking around, a stealthy one that attempts to achieve persistence by running six different routines at once, Avast has discovered.

Dubbed Torii, because some of the hits to a honeypot were observed coming from Tor exit nodes, the botnet targets multiple architectures, but doesn’t appear to include the usual set of malicious capabilities that IoT botnets are famous for, such as distributed denial of service (DDoS), spam, or crypto-mining.

It does, however, pack a rich set of information exfiltration features, as well as a modular architecture that allows it to fetch and execute commands and files, all via multiple layers of encrypted communication.

Active since at least December 2017, Torii can infect devices powered by MIPS, ARM, x86, x64, PowerPC, SuperH, Motorola 68k, and others, Avast has discovered. The malware targets weak credentials over the Telnet protocol and, after the initial compromise, it executes a shell script to determine the device’s architecture and download the appropriate payload, either over HTTP or FTP.

The script fetches a binary file that represents a dropper for the second-stage payload, and which attempts to make it persistent using multiple methods. The second-stage is contained within the first ELF file and is installed to a pseudo-random location.

After executing the payload, the dropper executes six different methods for persistence: via injected code into ~.bashrc, via “@reboot” clause in crontab, as a “System Daemon” service via systemd, via /etc/init and PATH (it calls itself System Daemon), via modification of the SELinux Policy Management, and via /etc/inittab.

A full-fledged bot, the second-stage is capable of executing commands from the command and control (C&C) server. The malware also includes simple anti-debugging techniques, data exfiltration, multi-level encryption of communication, and other capabilities.

With many of the functions in the second stage also found in the dropper, Avast’s security researchers suggest that they were both built by the same developer. However, while the code in the dropper is almost identical for all architectures, the second stage binaries show differences based on the targeted hardware architectures.

Advertisement. Scroll to continue reading.

The malware uses the simple anti-analysis method of a 60 second sleep after execution and attempts to randomize the process name to avoid detection of blacklisted process names. The author also stripped the symbols from executables to make analysis more difficult.

The C&C address is encrypted using a XOR-based cipher and each Torii variant contains 3 addresses, Avast discovered. Since September 15, the domain names have resolved to IP, which also hosts other suspicious domains, the security researchers say. Communication with the C&C server is done via TCP port 443.

When connecting to the server, Torii exfiltrates information such as hostname, process ID, path to second stage executable, all MAC addresses in /sys/class/net/%interface_name%/address and its MD5 hash, data found by uname() call (sysname, version, release, and machine), and the outputs of various commands that gather additional information from the compromised machines.

The malware continuously asks the server if there are any commands it should execute, the security researchers discovered. After receiving a command, the threat replies with the results of the execution.

Another binary found on the attackers’ FTP server, sm_packed_agent, contains functionality that could be used to send any remote command to the target device. Written in the Go language, it could be easily recompiled to run on virtually any architecture and could serve as backdoor or a service to orchestrate multiple machines, the researchers say.

“Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before. Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the C&C, but  by communicating with the C&C, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use,” Avast concludes.

Related: Addressing IoT Device Security Head-on

Related: Industrial Internet Consortium Develops New IoT Security Maturity Model

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing...

IoT Security

Hikvision patches CVE-2023-28808, a critical authentication bypass vulnerability that exposes video data stored on its Hybrid SAN and cluster storage products.

IoT Security

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...