Tenda Router Zero-Days Emerge in Spyware Botnet Campaign
A new malware variant has been discovered by researchers and has the capability to conduct espionage and denial-of-service attacks. The malware is a variant of the Mirai botnet and has been named Ttint. Ttint can perform a variety of functions, ranging from remote-access-trojan tactics and spyware capabilities. Researchers at 360Netlab state that the botnet is unusual for its 12 remote access functions, which combine custom command-and-control server commands to perform tasks. Ttint uses this combination to set up a Socket5 proxy for router devices, then able to tamper with router DNS and execute custom system commands.
Ttint also leverages encrypted channels to communicate, allowing it to avoid detection. According to experts at 360Netlab, the infrastructure of Ttint migrates, as researchers first observed the attackers utilizing a Google cloud service IP, then switching to a hosting provider based in Hong Kong. Ttint samples have been exploited since November 2019, according to research, but was not disclosed until July 2020. The bug is reportedly a critical command-injection vulnerability ranking a 9.8 out of 10 on the CvSS severity scale.