Cyber Security

Ttint RAT Malware Targets Tenda Routers via Two Zero-Day Vulnerabilities

Researchers observed a new IoT (Internet of Things) botnet called Ttint targeting Tenda routers. Security researchers at NetLab report that the botnet uses a malware threat that exploits two zero-day vulnerabilities to infect its targets.

Ttint not only performs DDoS attacks to infect its target but also implements 12 additional remote access techniques to attack routers, employs routers as traffic proxies, and tempers with the routers' DNS and firewall settings. Additionally, the threat allows its operators to execute commands on the host devices.

Two Unpatched Zero-Day Vulnerabilities Used in Ttint Campaigns

NetLab reports that the Ttint malware was first deployed last year. Researchers detected Ttint in November 2019.Ttint targeted vulnerable Tenda routers by exploiting the CVE-2020-10987 vulnerability, which was first disclosed on July 10, 2020.

The attacks continued till July 2020, when Sanjana Sarda, a researcher at Independent Security Evaluators, published a detailed report about the five vulnerabilities, one of which being CVE-2020-10987.

Despite the warning, Tenda didn't release a security patch. Ttint, on the other hand, didn't waste time waiting for Tenda to interfere with their activities. A few weeks after Sarda published the report, Ttint started abusing a second zero-day vulnerability in Tenda routers.

Figure1: Ttint Attack Vector

Ttint RAT vulnerabilities
In August 2020, Ttint V2 started exploiting an undisclosed Zero-day vulnerability Source: NetLab


NetLab didn't publish details about the zero-day vulnerabilities due to security concerns. However, the researchers reached out to Tenda, who are yet to address the security concerns.

According to the research, Tenda routers running firmware versions AC19 to AC18 are vulnerable. Researchers say that the attackers could redirect unsuspecting Tenda users to malicious websites by altering the DNS settings of their vulnerable routers.

Therefore, users are recommended not to use unpatched routers. Users who are unsure whether their devices are vulnerable can check the firmware version in the router's admin panel.

About Ttint Malware

Ttint is a Remote Access Trojan (RAT)  based on the code of another infamous botnet malware called Mirai, which was leaked in 2016.

Ttint behaves like a standard botnet while running. It deletes its files and prevents the host device from restarting. The threat also implements typical Mirai features, such as running as a single instance by binding the port, selecting random process names, and integrating a large number of attack vectors.

Although other similar versatile threats were observed in the past, this level of adaptable RAT has never been used to attack IoT devices. Ttint could be the first of a new generation IoT malware, deployed in sophisticated campaigns.

Show More

Reactionary Times News Desk

All breaking news stories that matter to America. The News Desk is covered by the sharpest eyes in news media, as they decipher fact from fiction.

Previous/Next Posts

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button