Ttint Is a New IoT Malware Targeting Tenda Routers

Security researchers have identified a new Mirai-based IoT malware infecting the Tenda AC15 AC1900 router by using recently revealed 0-day vulnerabilities.

Commercial routers have numerous security problems. Lack of support is one of them, with manufacturers rarely releasing firmware updates. A recent study showed that, on average, routers receive a security update once a year, but it can take even longer.

Security researchers from 360Netlab discovered a new Remote Access Trojan (RAT) based on Mirai, the infamous botnet that wreaked havoc in 2016. Since then, numerous other malware used code from Mirai, including this recently uncovered Ttint.

“The conventional Mirai variants normally focus on DDoS, but this variant is different,” say the researchers. “In addition to DDoS attacks, it implements 12 remote access functions such as Socket5 proxy for router devices, tampering with router DNS, setting iptables, executing custom system commands,” they continue.

Its developer also used the WSS (WebSocket over TLS) protocol to communicate with the command center, allowing it to avoid regular scrutiny that searches for Mirai communications.

Two different Tenda 0-day vulnerabilities (CVE-2018-14558 & CVE-2020-10987) helped the attackers deploy their malware successfully. The timeline shows that threat actors knew about the vulnerabilities because the first signs were detected on November 9, 2019. The official disclosure of the vulnerability came on July 10, 2020.

Criminals had more than six months to infect Tenda routers, but the company has yet to respond to the researchers, let alone release an update. Such botnets only work because router manufacturers don’t fix vulnerabilities, even for devices that are still supported.

Tenda AC15 AC1900 is the affected router, and the only possible mitigation would be to at least reboot the device, but that doesn’t guarantee it won’t be infected again.