New “Mirai” Variant Is Exploiting Tenda Router Zero-Days

By Bill Toulas / October 6, 2020

A new Mirai bot variant called “Ttint” is wreaking havoc to Tenda routers by exploiting zero-day flaws in the devices. This new piece of malware is particularly nasty, combining a set of remote access tool features, spyware, and the Mirai-typical “denial of service” capabilities. The RAT alone implements no less than twelve functions triggered remotely and which hackers utilize to tamper with router DNS, set iptables, execute custom system commands, and set up malicious proxies.

To avoid raising any flags from security products, Ttint passes its C2 communications through encryption tunnels using the WebSocket over TLS protocol. As for the C2 infrastructure itself, the attackers opt for a Google cloud service IP and also a hosting provider in Hong Kong. In general, though, the actors use a rich C2 infrastructure with multiple domain names, IPs, Mirai samples, etc.

Source: 360 Netlab

The flaws that are exploited by the new Mirai bot are ‘CVE-2018-14558’ and the ‘CVE-2020-10978’. The second vulnerability is a zero-day discovered to be under active exploitation on August 28, 2020. The researchers of the ‘360 Netlab’ have reported it to Tenda with the relevant PoC since then. However, the flaw remains unfixed, and so Ttint is free to continue its malicious spread.

Related: New Mirai Variant Targets CVE-2020-10173 and Other New Flaws

The device that is vulnerable to this is Tenda AC15 AC1900 using firmware version This is a pretty popular product that is promoted as an inexpensive yet high-speed dual-band router that features powerful signal amplifiers and seamless 5GHz connectivity.

Mirai is exploiting this popularity to enable hackers to execute a wide range of commands on the target device. More specifically, there are ten DDoS commands known from previous Mirai variants, and twelve new.

Ttint Bot Commands

0 attack_udp_generic
1 attack_udp_vse
2 attack_udp_dns
9 attack_udp_plain
3 attack_tcp_flag
4 attack_tcp_pack
5 attack_tcp_xmas
6 attack_grep_ip
7 attack_grep_eth
10 attack_app_http
12 run "nc" command
13 run "ls" command
15 Execute system commands
16 Tampering with router DNS
18 Report device information
14 Config iptables
11 run "ifconfig" command
17 Self-exit
19 Open Socks5 proxy
20 Close Socks5 proxy
21 Self-upgrade
22 Reverse shell

One thing that Tenda router users can do is to check for firmware upgrades and apply them immediately. Secondly, they may add the IoCs provided by 360 Netlab manually on a blocklist. If Tenda fails to address the flaw now that the researchers proceeded with its full publication, using a different router model would be a wise thing to do.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: