New Sophisticated Botnets Discovered: Torii, the IoT Botnet That Can Run on Almost Every Device

New cyber-storm clouds are gathering. Check Point Researchers have discovered of a brand new Botnet evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.

New Sophisticated Botnets Discovered

While some technical aspects lead us to suspect a possible connection to Mirai, this is an entirely new and far more sophisticated campaign that is rapidly spreading worldwide. It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes.

Unlike the aforementioned IoT botnets, this one tries to be more stealthy and persistent once the device is compromised, and it does not (yet) do the usual stuff a botnet does like DDOS, attacking all the devices connected to the internet, or, of course, mining cryptocurrencies.

The infection chain starts with a telnet attack on the weak credentials of targeted devices followed by execution of an initial shell script. This script looks quite different from typical scripts that IoT malware uses in that it is far more sophisticated.

By looking into the logs, it seems that someone actually ran DirBuster-1.0-RC1, trying to figure out what is going on. Brute force DirBuster is used to guess directories/filenames on the web server and generates a large number of requests. It is quite unfortunate if this scan originated from a researcher as there are more elegant approaches in the case of a sophisticated malware like Torii.

Threats are becoming more sophisticated, incorporating emerging technologies, advanced cryptography, and resilient infrastructure to resist surveillance and disruption. Modifications to banking trojans support stealing bank credentials and website cookies to impersonate victims, searching hard disks for specific files, granting threat actors remote access to a computer, and allowing threat actors to exfiltrate stolen information or download additional malware. Cybercriminals are also expanding beyond traditional banking botnets to evolve new attack vectors. CTU researchers observed an increase in persistent attacks targeting specific organizations to compromise financial accounts, illustrating use of a delivery method that was previously used only in advanced persistent threat (APT) attacks. With banks continuously moving to the mobile platform for payment and banking applications, cybercriminals' interest in targeting mobile banking services has increased. Attacks on mobile banking platforms, as well as advancements in bypassing advanced authentication mechanisms like two-factor authentication (2FA) and transaction authentication numbers (TANs), evolved in 2015.

While most banking botnets that were active in 2014 continued their operations in 2015, Shifu, Corebot, and Reactorbot emerged as new additions. Increased activity from Qadars, Tinba, Gozi ISFB, and Gozi Neverquest reflected a consistent market for banking fraud, and the reemergence of Ramnit and Bugat v5 after takedowns showed the cybercriminals' resilience. A search for other revenue streams led to a steady shift in 2015 from botnet-driven infections to ransomware. Ransomware provides threat actors with a straightforward and direct revenue stream and does not require infrastructure maintenance.

The botnet-as-a-service model has grown increasingly popular. Threat actors rent subsets of their botnets for malicious activities such as distributed denial of service (DDoS) attacks, click fraud, cryptocurrency mining, and targeted attacks. Mobile botnets are also used for DDoS attacks, click fraud, and impersonation attacks. However, there is still a strong demand for the standalone botnet-as-a-kit service because it allows threat actors to maintain full control of the malware, infrastructure, and operation.

In 2015, CTU researchers observed banking botnet activity originating from the 14 botnets listed in Figure 1. Analysis of configuration files associated with observed samples revealed that targets included customers of more than 1,500 financial institutions.

Banking botnets continued to target traditional banking and financial institution websites, corporate finance and payroll services, and stock trading organizations in developed countries with sizeable populations and wealthy residents (see Figure 2). In 2015, CTU researchers observed threat actors focusing on countries where institutions have weaker account security, and countries where international transactions are more difficult and require local intervention to launder money. There was a spike in attacks against banks and other financial institutions in the Asia-Pacific region, the Middle East, and Eastern Europe.

Banking botnets have different features and technical proficiency. Although their primary focus is stealing financial information and using compromised systems for monetary gain, they also steal and use email credentials to compromise more systems. Banking botnets became more widespread, resilient, and evasive in 2015. Many of them now integrate multiple backup C2 solutions via backup DGA domains, use compromised routers as proxy servers to conceal actual C2 servers, host payloads on compromised websites, use peer-to-peer (P2P) networks to resist monitoring, and hide and protect their infrastructure and resist surveillance with anonymizing services such as Tor and I2P.

Dyre primarily used the Cutwail spambot as a distribution channel, but the threat actors also used a private spam mailer. Upatre was the main downloader, but a new downloader known as Ruckguv was also used. Dyre dropped the Pushdo loader and the Kegotip credential stealer. On several occasions, CTU researchers observed commands to download the Neverquest variant of Gozi on the Dyre network, while the Gozi botnet was pushing commands to download Dyre on the Gozi network. This reciprocity may indicate a relationship between the Dyre and Gozi operators, possibly that the same threat actors are operating both botnets.

Both Neverquest variants are divided into two parts: a dropper module and the main DLL module. The dropper loads a DLL that initializes the main DLL module. After a system is compromised, the DLL module connects to a predefined list of C2 servers and registers a bot. The C2 server responds with an encrypted configuration file that includes a list of banking websites and corresponding web inject scripts. Neverquest not only steals credentials from FTP, SMTP and POP applications, it can also harvest data from Google, Yahoo, Amazon AWS, Facebook, Twitter, and Skype. Threat actors use these accounts to distribute links to compromised websites to further spread Gozi and other malware. Similar to P2P Gameover Zeus, Neverquest operates with an affiliate model. The botnet is partitioned into sub-botnets, and each affiliate has access to its own subset of bots.

ISFB, also called Ursnif, Papras, and Voslik, is derived from an early variant of Gozi. With its advanced capacity to steal bank account credentials, one-time-password (OTP) tokens, cookies, certificates, and other sensitive information, ISFB instantly became a popular alternative to the Zeus banking trojan. ISFB is a commercially available banking trojan that is available as a botnet kit. It is commonly distributed through exploit kits, spam campaigns, and existing botnets via pay-per-install. CTU researchers identified one ISFB threat group renting the spam service used by a threat group operating the Bugat v5 (Dridex) banking trojan. CTU researchers have observed 15 different versions of ISFB.

Many threat actors using ISFB target specific regions. Several ISFB botnets target organizations in the UK, but the addition of targets in Saudi Arabia, Iran, Japan, Thailand, and Bulgaria indicate that the cybercriminals are shifting their focus toward countries where banking systems have weaker protection systems. CTU researchers have observed ISFB operators targeting a single bank in a new country for a few weeks, and then expanding to other banks from the same country if the test is successful. The CTU research team has tracked activities from more than 20 ISFB botnets and has captured configuration files associated with more than 750 unique targets.

Bugat v5 has four main components: a loader, a core module (DLL), a VNC module, and a backconnect module. Its modular architecture and hybrid peer-to-peer (P2P) network make it distinct from previous variants. Rather than nodes behaving autonomously and exchanging peer lists, configuration files, and binary updates with other peers, they tunnel almost everything to the backend infrastructure. Bots that perform node actions receive a special information packet that contains the location of an admin node (i.e., an upstream proxy). Similar to P2P Gameover Zeus and Gozi, Bugat v5 uses an affiliate model. The botnet is partitioned into sub-botnets, and each affiliate has access to its own subset of bots. CTU researchers have observed 16 sub-botnets: 120, 121, 122, 125, 126, 127, 200, 220, 223, 300, 301, 303, 305, 310, 320, and 888.

Tinba is an affiliate-based botnet, and each affiliate targets a different region. During 2015, the CTU research team identified separate Tinba campaigns targeting banks and financial institutions in Russia, Poland, Germany, Italy, Netherlands, Romania, Japan, Indonesia, Singapore, and Malaysia. While sophisticated banking botnet such as Dyre, Bugat v5, and Gozi primarily focus on U.S., UK, and Australian banks and financial institutions, Tinba also focuses on targets in Asia. CTU researchers observed Tinba using campaign IDs similar to Bugat v5.

Corebot was discovered in the fall of 2015, and initial samples indicated that it was simple malware without any web inject capability. Enhancements in a second iteration led CTU researchers to identify Corebot as a fully-capable banking trojan that supports browser hooking, form grabbing, MITM attacks, web injects (including dynamic web inject download from remote servers), and VNC for remote control. It has two parts: a loader and a main module. It uses DGA as a fallback mechanism. Analysis of Corebot's web inject capability revealed that it displays a wait notice instructing a victim to stay online while the botnet operator connects to the victim's computer over VNC to perform fraud. Like other banking trojans, Corebot also injects into the Internet Explorer (IE), Firefox, and Chrome browsers to steal web sessions. Corebot uses RC4 for encryption, and based on its RC4 keys and communication protocol, the CTU research team believes that Corebot has a kit-based architecture. 2ff7e9595c