• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – QNAP Releases Security Updates for QNAP Helpdesk
October 9, 2020
Rewterz Threat Alert – Agent Tesla and IcedID banking Trojan Malspam Campaigns
October 9, 2020

Rewterz Threat Alert – Ttint – An IoT RAT Exploiting Two 0-Days

October 9, 2020

Severity

Medium

Analysis Summary

An attacker is detected using two Tenda router 0-day vulnerabilities to spread a Remote Access Trojan (RAT) based on Mirai code. Mirai is known for using multiple exploits to target routers and other devices. The conventional Mirai variants normally focus on DDoS, but this variant is different. In addition to DDoS attacks, it implements 12 remote access functions such as Socket5 proxy for router devices, tampering with router DNS, setting iptables, executing custom system commands. In addition, at the C2 communication level, it uses the WSS (WebSocket over TLS) protocol. Doing this can circumvent the typical Mirai traffic detection at the traffic level, and it also provides secure encrypted communication for C2. 

The vulnerabilities CVE-2018-14558 & CVE-2020-10987 have been used to spread Ttint samples. Mirai’s earlier variants have exploited vulnerabilities in attacks in July and August as well. When running, Ttint deletes its own files, manipulates the watchdog, and prevents the device from restarting, it runs as a single instance by binding the port; then modifies the process name to confuse the user; it finally establishes a connection with the decrypted C2, reporting device information, waiting for C2 to issue instructions, and execute corresponding attacks or custom functions. It retains a large number of mirai features, such as single instance, random process name, sensitive configuration information encryption, integration of a large number of attack vectors, etc. Ttint Bot supports 22 kinds of C2 commands, the 10 DDoS commands are from Mirai , and the rest 12 are new.

IDINSTRUCTION
0attack_udp_generic
1attack_udp_vse
2attack_udp_dns
9attack_udp_plain
3attack_tcp_flag
4attack_tcp_pack
5attack_tcp_xmas
6attack_grep_ip
7attack_grep_eth
10attack_app_http
12run “nc” command
13run “ls” command
15Execute system commands
16Tampering with router DNS
18Report device information
14Config iptables
11run “ifconfig” command
17Self-exit
19Open Socks5 proxy
20Close Socks5 proxy
21Self-upgrade
22Reverse shell

Impact

  • Unauthorized Remote Access
  • DDoS
  • Data Exfiltration

Indicators of Compromise

Domain Name

  • cnc[.]notepod2[.]com
  • back[.]notepod2[.]com
  • q9uvveypiB[.]notepod2[.]com
  • uhyg8v[.]notepod2[.]com

Source IP

  • 34[.]92[.]85[.]21
  • 34[.]92[.]139[.]186
  • 43[.]249[.]29[.]56
  • 45[.]249[.]92[.]60
  • 45[.]249[.]92[.]72
  • 103[.]60[.]220[.]48
  • 103[.]108[.]142[.]92
  • 103[.]243[.]183[.]248

URL

  • http[:]//45[.]112[.]205[.]60/td[.]sh
  • http[:]//45[.]112[.]205[.]60/ttint[.]i686
  • http[:]//45[.]112[.]205[.]60/ttint[.]arm5el
  • http[:]//45[.]112[.]205[.]60/ttint[.]mipsel
  • http[:]//34[.]92[.]139[.]186[:]5001/bot/get[.]sh
  • http[:]//34[.]92[.]139[.]186[:]5001/bot/ttint[.]mipsel
  • http[:]//34[.]92[.]139[.]186[:]5001/bot/ttint[.]x86_64

Remediation

  • Block the threat indicators at their respective controls.
  • Keep all systems, devices and software updated to latest patched versions.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.