Ttint Botnet

The Ttint Botnet is an IoT (Internet of Things) botnet that has been active for over a year. According to the specialists' analysis, the criminals exploited two zero-day vulnerabilities to infiltrate Tenda routers and install malware. While most IoT botnets are used to launch a DDoS attack primarily, the Ttint Botnet displays a far wider range of available functions, including carrying out remote access commands and tampering with the router's DNS settings.

Two Versions of Ttint Spotted So Far

When the Ttint Botnet was first detected, it relied on abusing a Tendra zero-day vulnerability that is tracked as CVE-2018-14558 & CVE-2020-10987. The hackers could exploit this vulnerability to spread their malware for over six months. However, in July 2020, a report was released detailing the zero-day vulnerability and making it public knowledge. Although Tendra has still not issued an update fixing the issue, the hackers switched their tactics quickly and released a new version of their threatening tool in just a couple of weeks. Functionally, this second iteration remained unchanged virtually, but it had switched to exploiting a different zero-day vulnerability, one that has so far remained undisclosed and unpatched. 

People using Tendra routers should be vigilant and check the firmware on their devices. According to the researchers, firmware versions ranging from AC9 to AC18 are likely to be attacked and become victims to the Ttint Botnet. The most affected devices are located in Brazil, followed by the U.S., South Africa and India.

Ttint is a Modified Mirai

At its core, the Ttint Botnet is a Remote Access Trojan targeting router devices that is a heavily expanded and modified version of the Mirai Botnet IoT malware. The Mirai Botnet has remained a popular choice among cybercriminals ever since its source code got leaked online back in 2016. This has allowed hackers with varying degrees of skill to release variants into the wild. Looking at the Ttint Botnet reveals that by themselves, its different components and functions are nothing new, particularly, but the fact that the hackers responsible for it have managed to combine different IoT or Linux malware aspects into a singular entity makes the threat rather unique.

For starters, the Ttint Botnet has preserved 10 DDoS attack instructions from the Mirai Botnet but has been equipped with 12 new commands responsible for its remote access behavior. Another significant departure from the Mirai Botnet is the way the Ttint Botnet handles its Command-and-Control (C2) communication. Apparently, the Ttint Botnet has been configured to employ a WebSocket protocol.