New IoT botnet infects wide range of devices

Researchers have unearthed a new malware actively attacking a large range of internet of things (IoT) devices, with advanced capabilities that go beyond existing threats such as Mirai and Qbot.

Security vendor Avast named the new botnet "Torii" as it attacks targets via The Onion Router (TOR) exit nodes to obfuscate its origin.

Noted anti-virus veteran Vesselin Bontchev first discovered the malware as it was caught by his Cowrie secure shell and telnet remote access honeypot.

Bontchev said the new malware spreads via the Telnet remote access service, and download a sophisticated shell script disguised as a cascading style sheet (CSS) file which in turn plants an executable file on the infected IoT device, tailored to its specific processor architecture.

Further analysis by Avast researchers found that Torii is able to target a large range of systems used on IoT devices, including MIPS, ARM, Intel x86 and x64, IBM PowerPC, Hitachi SuperH and more.

Avast's analysis of the malware and logs from the command and control and download servers it uses indicates that Torii has been active since December last year, and possibly earlier.

The researchers said "its sophistication is a level above anything we have seen before".

As of now, the Torii botnet has a rich set of features to exfiltrate sensitive information from infected networks and its modular architecture can fetch executables from remote servers and run them on compromised devices.

Unlike Mirai and Qbot, Torii does not currently engage in distributed denial of service attacks or cryptocurrency mining, but it is capable of both activities.

Malware such as Mirai attacking poorly protected IoT devices such as residential routers and enrolling them in large bonets have been responsible for mass DDoS attacks worldwide.

Copycat malware based on the less sophisticated Mirai and Qbot continue to appear, Avast said.