Tenda Router Zero-Days Emerge in Spyware Botnet Campaign

ttint botnet mirai variant zero days

A variant of the Mirai botnet, called Ttint, has added espionage capabilities to complement its denial-of-service functions.

Two former Tenda router zero-days are anchoring the spread of a Mirai-based botnet called Ttint. In addition to denial-of-service (DoS) attacks, this variant also has remote-access trojan (RAT) and spyware capabilities.

According to 360Netlab, the botnet is unusual in a few ways. For one, on the RAT front, researchers said that it implements 12 remote access functions, that combine with custom command-and-control (C2) server commands to carry out tasks like setting up a Socket5 proxy for router devices, tampering with router DNS, setting iptables and executing custom system commands.

In addition, Ttint also uses encrypted channels to communicate with the C2 – specifically, using the WebSocket over TLS (WSS) protocol. Researchers said that this allows the traffic to avoid detection while providing additional security.

And finally, the infrastructure seems to migrate. 360Netlab first observed the attackers using a Google cloud service IP, before switching to a hosting provider in Hong Kong.


Tenda routers are available at big-box stores and are used in homes and small offices. The first vulnerability used to spread Ttint samples (CVE-2018-14558) has been exploited since at least November of last year; but it wasn’t disclosed until July. There’s now a firmware update available to address it.

The bug is a critical command-injection vulnerability, rated 9.8 out of 10 on the CvSS vulnerability-severity scale. It allows attackers to execute arbitrary OS commands via a crafted goform/setUsbUnload request. It arises because the “formsetUsbUnload” function executes a dosystemCmd function with untrusted input.

In late August, a second critical Tenda router vulnerability (CVE-2020-10987) emerged in the campaign. It’s also rated 9.8 out of 10 and was initially disclosed in July by Independent Security Evaluators, after it had tried since January to get a patch from Tenda. It was able to exploit the bug in order to cause a DoS condition.

The bug exists because the goform/setUsbUnload endpoint of Tenda AC15 AC1900 version allows remote attackers to execute arbitrary system commands via the deviceName POST parameter, according to the CVE description.

360Netlab also tried to warn Tenda about issues with the bug, this time for use in botnet infections.

“On August 28, 2020, we reported the details of the second 0-day vulnerability and the PoC [proof of concept] to the router manufacturer Tenda via email, but the manufacturer has not yet responded,” researchers said.

Threatpost has reached out to the manufacturer for more information.

Ttint RAT

Ttint as a malware can carry out 10 typical Mirai DDoS attack instructions (including multiple attack vectors), along with 12 RAT instructions and 22 custom C2 commands that work together.

“Generally speaking, at the host level, Ttint’s behavior is relatively simple,” according to the researchers. “When running, it deletes its own files, manipulates the watchdog and prevents the device from restarting, it runs as a single instance by binding the port; then modifies the process name to confuse the user…it finally establishes a connection with the decrypted C2, reporting device information, waiting for C2 to issue instructions, and executing corresponding attacks or custom functions.”

Researchers said, among the most notable of the RAT functions is the command to bind a specific port issued by C2 to enable Socket5 proxy service. This allows attackers to remotely access the router’s intranet, and roam across the network.

“Generally speaking, Ttint will combine multiple custom functions to achieve specific attack goals,” the researchers explained. “Take the two adjacent commands we captured, the first command is iptables -I INPUT -p tcp –dport 51599 -j ACCEPT, to allow access to port 51599 of the affected device. The next command is to enable the Socket5 proxy function on port 51599 of the affected device. The combination of the two commands enabled and allowed the attacker to use the Socket5 proxy.”

Another command tells the malware to tamper with the router DNS by modifying the resolv.conf file, allowing it to hijack the network access of any of the router’s users. This in turn allows attackers to monitor or steal sensitive information.

Meanwhile, by setting iptables up, the operators can achieve traffic forwarding and target address conversion, which could expose internal network services and lead to information disclosure. And, by implementing a reverse shell through socket, the author of Ttint can operate the shell of the affected routing device as a local shell.

And finally, the custom commands also allow the malware to self-update and self-destruct.

The C2 information of the Ttint Bot sample is encrypted and stored in the configuration information table in the Mirai format, protected with a XOR key, researchers said.

“When the bot is running, it decrypts to obtain the C2 address,…and then communicates with C2 securely through the WebSocket over TLS protocol,” according to the researchers. “When Ttint C2 replies to the bot with a response code of 101, it means that the protocol handshake is completed, and then the bot can communicate using the WebSocket protocol.”

There has of late been a resurgence of Mirai-based malware capable of building large botnets through the exploitation of poorly secured IoT devices. This has contributed to a significant uptick in the number of distributed denial-of-service (DDoS) attacks in the first half of the year, compared to the same period last year. The addition of the RAT and concerning C2 commands marks a change for the Mirai world, however.

“Two zero-days, 12 remote-access functions for the router, encrypted traffic protocol and infrastructure IP that that moves around,” the firm wrote in a recent blog. “This botnet does not seem to be a very typical player.”

On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.